War begins with hackers armed with tools

By Balamurugan Selvaraj Published on Apr 26, 2017 03:57 PM IST

A few weeks back, a hacking group, named 'Shadow Brokers', released thousands of NSA hacking tools to exploit vulnerable Windows computers in the underground dark web.

The release targeted Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012 belonging to NSA's equation group - an elite cyber unit in NSA. The hackers also released decrypt key for exploits in an open letter to Trump, which has been shared in their official blog.

After this leak, hackers around the world started their work by exploiting NSA hacking tools in the vulnerable Windows computers. In the meantime, Microsoft released patches for the exploited vulnerabilities in the Windows, but users who didn't instal the patches and users with unsupported systems were vulnerable to hackers.

Around the world, security researchers have performed large number of Internet scans in recent days. Among them, researchers from Binary Edge, a Switzerland-based security firm, found that, "Around 1,07,000 windows computers have been infected by DoublePulsar. This is an NSA spy implant, which has been released as a free tool on GitHub.'

Rob Graham, CEO of Errata Security, conducted a separate scan on the Internet and detected 41,000 infected window systems with vulnerabilities. Also, another set of researchers from Below0day detected more than 30,000 infected PCs. Above all, majority of infected machines were located in major parts of United States.

HOW DOES DOUBLEPULSAR WORK?

As soon as it infects, it runs a malicious code through the backdoor and is installed using the EternalBlue exploit targeting SMB file-sharing services on Microsoft's Windows XP to Server 2008 R2. The machine runs on a vulnerable version of Windows OS with an SMB service exposed to an attacker.

Now, these hacking tools are available for everyone to download and use against any vulnerable Windows system. Once installed in the vulnerable computer, the exploit sends malware, spam online users and commit other cyber crimes. The implant hides itself in the backdoor and doesn't write any files on infected PCs. It also prevents the PC from persistent rebooting.

As I mentioned earlier, Microsoft has already patched a majority of vulnerable exploits in affected Windows, but people who have not patched are vulnerable exploits such as EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread and EducatedScholar are still in danger of being hacked. In addition, people running old version of windows such as Windows XP, Windows Server 2003, and IIS 6.0 are also vulnerable to those exploits, because Microsoft discontinued updates for those operating systems.

Researchers predicted that, 'There are chances that there may be an  increase in count of vulnerable and unpatched computers to DoublePulsar.'

After the news of increased infection broke, Microsoft officials said, "We doubt the accuracy of the reports and are investigating."