NSA's DoublePulsar Kernel Exploit a 'Bloodbath'

msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.

It's not a kernel exploit

For fuck sake, can we please stop calling these things 'exploits' as if Microsoft had nothing to do with it?

These are FEATURES, people...

Re: I work for a medical billing software...

At least it sounds like you're trying. My management doesn't care that all of our Windows servers seem compromised.

Re:I work for a medical billing software...

[ewhac]

...I guess I have to be Doctor Obvious here:

Why do you have Windows hosts on the public-facing Internet??? WHY WOULD YOU DO THAT PROFOUNDLY STUPID THING?!???!?

Re:I work for a medical billing software...

[gweihir]

One reason and one reason only: It is cheaper. Well, it is cheaper in the short run. That is all management focused on the year's end bonus if often caring about. I see it all the time. But even used internally, Windows "servers" are a constant problem, they never can compete to UNIX on maintenance cost, flexibility and reliability and performance. Sure, they are cheaper initially, but you pay for that for a long, long time. It becomes grossly obvious when you have global changes, and the windows servers are _always_ those lagging behind or needing special exceptions and the like. Windows on the server is a "90% OS": It only has 90% of what is really needed.

Use Linux servers?

[TheOuterLinux]

Seriously, why do people even use Window$ on servers? Any real advantage to it? It's not like the command line dark ages anymore with Linux to figure out how to do it. Tons of videos on how to set it up too. And if you want, you can set it up graphically and then run it without graphics to save resources.

Re:Use Linux servers?

[thegarbz]

Seriously, why do people even use Window$ on servers?

There are plenty of serious answers to this question but ultimately they're unlikely to be understood by someone with a mentality that extends to calling a product "Window$" and thinking they are clever.

Tons of videos on how to set it up too.

Ladies and gentlemen: How to setup an insecure facing internet server 101: Let's not have a clue and follow some video tutorial! Now I know where the $ came from, it's all the money that will be stolen from any server set up by those who follow your expert advice.