One of the NSA hacking tools released in the Shadow Brokers leak earlier this month is already being used by hacking groups to infect almost a quarter of a million computers, the Swiss security company Binary Edge reports.
Called Doublepulsar, this malicious implant is a malware downloader used as an intermediary for downloading more potent malware files on infected host computers.
IT security expert Tiago Henriques of Binary Edge told Radio Sputnik that the Shadow Brokers hack consisted of vulnerabilities identified and implants developed by the NSA which are now being exploited by hacking groups.
“The exploits are the vulnerabilities that were released a couple of weeks ago that NSA had, that affected multiple versions of the Windows operating system. Then there are the implants, which is what hackers leave after they have exploited those vulnerabilities,” Henriques explained.
“Doublepulsar, in this case the one we’re scanning for, is an implant that has been deployed on many machines.”
According to Binary Edge, as of April 25 243,894 machines had been infected. If personal computer users are compromised, their system could be used as a botnet to attack other websites, or to get the users’ financial details.
“In the case of organizations, those machines are actually a bit more dangerous because when they get compromised they can be used as a bridge into an internal network to attack other machines internally.”
The most important thing users can do to prevent such an attack is to update their system with the latest version of their software.
“Unfortunately for some companies, (for example) banks that transfer entire GDP’s of countries across their networks in a day, it’s very hard to just update because these are very critical systems and if they go down or something goes wrong with the update, it causes a huge business impact.”
“If you are a home user, upgrade to the latest software and of course properly configure your firewalls. If you are exposing a service to the internet, allow only specific addresses to connect to that service, instead of the entire internet.”
The critical vulnerabilities identified by the NSA and published by the Shadow Brokers were patched by Microsoft in March, so users with up-to-date systems should be protected.
While the systems of home and small-office users were probably updated automatically, larger organizations may be at risk because the updates are tested by administrators for compatibility with intranets and other internal systems.
While the leak of NSA hacking tools raises concerns about hacking by the intelligence services, ordinary people are also at risk of attacks from hackers unconnected to the spy agencies who are using the leaked tools, Henriques said.
“It’s important for the public to understand that it doesn’t necessarily mean you’re being targeted by the NSA. You might be targeted by hacker groups using the tools of the NSA, which would make sense because these tools are beautifully designed from a security perspective.”
“They’re hard to detect, they do their job well, and they’re very much point-and-shoot in the sense that they’re easy to use, so it makes sense that other hacker groups are using them to do mass-scale attacks.”