Slashdot Mirror
NSA's DoublePulsar Kernel Exploit a 'Bloodbath' (threatpost.com)
msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.
Excuse me, but you could put a 35 dollar raspberry pi as an inline firewall and essentially block the outgoing incoming traffic.
A first-pass screening test is to see if TCP port 445 is open. Most hosts will have 445 blocked by the firewall, thereby providing a degree of protection for the vulnerable SMB.
If 445 is open, that does not mean the host is compromised, but it is likely to vulnerable. This Metasploit module is one check that can be run:
https://github.com/rapid7/meta...
More information can be found on the Alert Logic blog and our various teams will continue to post there and elsewhere as more information is made available.
https://www.alertlogic.com/res...
I know Alert Logic has other resources posted elsewhere, but unfortunately I don't know the exact URLs off hand. My team sends technical details to another team, who aggregates it with information developed by other teams, then they forward it to the PR people who post it for you to read, with other, more detailed information provided to customers. So personally I only know where I send the information internally, but not where you can read all of it.
Who the hell is still using operating system software that hasn't been patched since October 2008? And even then, only one of the affected operating systems (Windows Server 2008) is still receiving security updates. If there are public-facing Windows 2000, Windows XP, and Windows Server 2003 machines still in the wild, I'd go so far as to say those companies deserve to be compromised.
Why do you have Windows hosts on the public-facing Internet??? WHY WOULD YOU DO THAT PROFOUNDLY STUPID THING?!???!?
Because the meme that security is gained by not using Windows is just that, and sensible people realise that just because it isn't Windows doesn't mean you're secure?