Exposed NSA Backdoor Leaves Thousands Vulnerable – Is Your Firm Among Them?

Shadow Brokers, an unidentified group of hackers popped up nine months ago claiming to have stolen the secret hacking techniques of a group linked to the American NSA.  They provided some workable samples of exploits and tried to sell their treasure trove for up to 1 million bitcoins (A$72.5 billion as at 11/3/21).

When no bidders were forthcoming, they dropped the price by 99% to just 10,000 bitcoins (still 725 million as at 11/3/21).  When they still couldn’t find a buyer they threw in the towel and released their code publicly, for free on April 15th, 2017 to hackers and security researchers alike.

Since then, a number of security researchers say they have discovered that tens of thousands of devices have been infected with a particular exploit called DOUBLEPULSAR.  In fact, estimates range between 140,000 and 160,000 devices worldwide have been compromised.

DOUBLEPULSAR functions as a backdoor into compromised systems and allows attackers to inject dynamic link library (DLL) binary files of their choice into vulnerable hosts.  It means those hosts can be used for a range of nefarious activities.

Infecting a system requires exploitation of a vulnerability called ETERNALBLUE and that’s one of the exploits that Shadow Brokers released when the contents of their theft become public.

ETERNALBLUE is a critical vulnerabilty that exists in unpatched Microsoft Server 2008 R2 and Windows XP machines.  A patch has been available for a long time, but clearly many machines that are exposed to Internet are running unpatched.

The key to Invulnerability is Knowing what your Vulnerabilities are

ETERNALBLUE is the kind of vulnerability that can be picked up in Continuous Vulnerability Scanning.  In fact, this particular vulnerability has been detected by the tool we use: Rapid 7’s Nexpose, for some time, allowing it to be patched before being exploited.

It’s a great example of how continuous, automated scanning performs an important job in the background, continually identifying threats and checking them against your system configuration.

The more software we use, the more our attack surface grows.  We can’t recommend vulnerability scanning and patching highly enough.

Update: Of course, shortly after this article was published, the world experienced the WannaCry attack. Then NotPetya, then a host of others. The key to practical invulnerability centres around training staff, patching systems in a timely fashion and taking advantage of machine learning to detect suspicious variations in device and user activity and flag it for the attention of a network security team.