Update : The number of compromised hosts with “DoublePulsar” installed is now reported to be more than 200 000 machines. Initial scanning with Shodan showed on Thursday April 20th around 15 000 systems compromised with "DoublePulsar". Update : Multiple reports are confirming that the leaked tools are being used to exploit and compromise machines and networks. Although some of the techniques are not new, they are now gathered together and include documentation to enable any threat agents to attack with advanced capabilities. The tools include advanced capabilities for hiding backdoors, control channels and installed utilities, along with deleting single records within log files and changing timestamps. The data includes a playbook on how an advanced attacker can comprise networks, maintain persistence and remain undetected. While the exploits and attack tools are important to build detection capabilities and mitigation strategies for reducing the attack surface, of even more concern may be the additional data and tools in the dump.
EASYBEE EXPLOIT WINDOWS 10
The data from the dumps seem to be from 2013 and earlier and therefore does not appear to include any ready to use exploits against Windows 10 or Windows 2016. Argus Managed Defence – mnemonic’s Managed Detection and Response (MDR) service - detects most of the disclosed attacks and has contained signatures both in log analysis and network detection services for quite some time. The Argus Continuous Vulnerability Monitoring service (part of the Argus Managed Defence suite) also detects systems compromised by “DoublePulsar”. Most of the vulnerabilities in the published dumps were patched by Microsoft in March 2017. Amongst the dump are several vulnerabilities that can be used to target various Windows operating systems ranging from Windows XP to Windows 2016. These dumps include vulnerabilities, tools, operative notes from (allegedly) the NSA and a framework for running exploits and building malware. On the 14 th of April the group made available three more data dumps. This dump included several tools and vulnerabilities for attacking Linux and other Unix based operating systems and applications.
EASYBEE EXPLOIT PASSWORD
On April 8 th, 2017 The Shadow Brokers published the password for one of the encrypted dumps that was made public last year.
The actor behind the tools and exploits has also been called “Equation Group”. At the time, the group was not able to sell the dumps at their desired price. The dump consisted of multiple tools and information about vulnerabilities for a wide range of applications and operating systems. Last year a group named “The Shadow Brokers” attempted to auction a data dump allegedly claimed to come from the NSA. Update : Added update to summary regarding the Petya/ NotPetya/ GoldenEye ransomware spreading. For more information about this, please visit our latest advisory here. Update : Added update to summary regarding the WannaCry ransomworm that spread across the Internet on Friday May 12th by leveraging the EternalBlue exploit. Updated summary to reflect that Argus Continuous Vulnerability Monitoring (part of the Argus Managed Defence suite) customers will now receive notifications if any of their internal or external systems have “DoublePulsar” installed. Update : Added update that the number of compromised hosts with “DoublePulsar” installed is now reported to be more than 200 000 machines. Update : Added update to summary that as of, approximately 15 000 systems have been observed to be compromised with "DoublePulsar". Update : Added CVE details to exploits (where available), new exploits, updated descriptions, updated summary, added references. Update : Confirmed observations of ransomware distribution leveraging the leaked NSA exploits. Update : Added new tools and 0-days against Solaris, Redhat, Avaya Call Server and Samba.