Number of NSA Implant Infected Systems Rises After Shadowbrokers Dump
Several security researchers report seeing a rising number of infections with an NSA implant released by the Shadowbrokers last week as part of a larger collection. This concerns the so-called Doublepulsar implant.
The Register writes that the Doublepulsar backdoor is installed using the Eternalblue exploit, which was also part of the Shadowbrokers dump. Researcher Dan Tentler reports to the site that he recently identified about 15,000 infections through a Shodan search. Researcher Robert Graham says a more thorough search was able to identify about 41,000 infections.
Microsoft already released a patch in March for the vulnerability used by Eternalblue. However, this does not mean that all vulnerable systems have implemented this patch. Old versions of Windows, such as XP and Server 2003, will no longer receive the security update and therefore remain vulnerable. Tentler estimates that some script kiddies started infecting systems after the Shadowbrokers was released, which is pretty straightforward.
Taken systems can be used, among other things, to send spam, spread malware or carry out DDoS attacks. A large number of the infected systems are located in the United States. Affected systems can be identified by the response to a specific ping on port 445. Security company MWR InfoSecurity recently published an analysis of Doublepulsar.