Security researchers are sounding alarm in the wake of the Shadow Brokers' latest NSA leaks, which experts say are now being used by script kiddies to launch a wave of attacks across the globe.
The Shadow Brokers' latest leaks included exploits from an alleged NSA in-house hacker group called Equation Group. Researchers noted that one such exploit, called DoublePulsar, has been used in recent attacks and may have infected anywhere between 30,000 to 107,000 Windows computers.
Researchers say that DoublePulsar has been designed to provide attackers with a secret backdoor access to Windows systems. Researchers with cybersecurity firm Below0Day reportedly conducted an internet wide scan to determine how many Windows systems may be vulnerable to DoublePulsar. They found that nearly 5.5 million systems with port 445 exposed to external connections are vulnerable to recently-leaked alleged NSA exploits, in case they haven't already installed patches issued out by Microsoft Bleeping Computer reported.
According to Below0Day, the greatest number of infections occurred in the US, followed by the UK, Taiwan and South Korea.
"It should come as no surprise that once an exploit his been publicised that it will be used by adversaries, Cris Thomas, strategist for Tenable Network Security told IBTimes UK. "The fact that these exploits are part of the recent Shadow Brokers release is no different, so it would be a mistake to attribute this usage solely to "Script Kiddies". Organized online criminals, hacktivists, corporate espionage and even nation states will all have added these exploits to their attack arsenals."
The Shadow Brokers' latest dump, which came on April 14, is believed to come from attack tools dating back to 2013, reportedly used by the NSA's elite hacker group Equation Group. According to a report by ArsTechnica, separate scans conducted by Below0Day and Errata Security CEO Rob Graham detected that 30,000 and 41,000 machines have already been infected.
However, Microsoft is disputing these numbers. "We doubt the accuracy of the reports and are investigating," the firm said in a statement, ArsTechnica reported.
Meanwhile, the current growing consensus among the infosec community appears to be that the alleged NSA exploits leaked by Shadow Brokers are being used in the wild.
"People [who] have gotten their hands on the tools just started exploiting hosts on the Internet as fast as they could," Dan Tentler, founder of security consultant Phobos Group, told ArsTechnica. "On the part of Shadow Brokers, if their intention was to get mass infections to happen so their NSA zerodays got burned, the best [approach] is to release the tools [just before] the weekend. DoublePulsar is a means to an end."
"This is why businesses have to know every part of their network, understand their levels of exposure and prioritise security actions to where they will be most effective," Thomas told IBTimes UK. "Most organizations have visibility into around 93 percent of their computing environment, so there's plenty of room for attackers to hide in the shadows. The best way to keep your organization safe is to illuminate those dark spots on the network by continuously monitoring your environment for vulnerabilities, misconfigurations and intruders."
Security researcher going by the handle Hacker Fantastic of the British security research group Hacker House took to Twitter to write, "The lesson to be learned from leak is not that nations build cyber weapons, it's that we are not building sufficient safeguards into them."
You may be interested in:
- China hacking South Korea organisations to block missile defence efforts claim researchers
- WikiLeaks publishes user guide for CIA's TV-hacking tool first 'developed by MI5'
- US government's 'witch hunt' to unmask anti-Trump Twitter account sparks investigation
- NSA DoublePulsar malware leaked by Showdow Brokers may have infected upto 100,000 Windows computers