When we reported on the NSA’s hacking tools last week, Microsoft confirmed an investigation and later said the exploits have been patched since March. However, while the Shadow Brokers leak has brought light to an important issue, it does open up the tools to anybody who wants to use them.
Following the release, hackers from around the world have been looking to exploit the vulnerabilities, and they’ve been pretty successful. Phobos Group founder Dan Tentler told the Register today that a growing amount of boxes on the public internet have the NSA’s DOUBLEPULSAR installed.
Over 15,000 Infected Devices
Despite Microsoft’s efforts, many users still haven’t updated their machines. While the latest Windows 10 is safe, Windows 7, 8.1 and Vista require intervention. XP and Server 2003 users won’t find a fix at all. A preliminary scan reveals over 15,000 infections and growing.
“The polite term for what’s happening is a bloodbath,” said Tentler. “The impolite version is dumpster fire clown shoes shit show. I’m hopeful this is the wakeup moment for people over patching Windows machines.”
Naturally, the NSA’s priority is stealth, so naturally, DOUBLEPULSAR is difficult to detect. However, infections can be confirmed via the response to a special ping to port 445. Statistics from other researchers show an even worse picture.
Tests by Below0Day show over 30,000 instances, while others are as high as 41,000. While it’s unclear how many are false positives, it’s clear that this problem will only grow. Naturally, this affects a number of machines hosted with Amazon’s AWS and Microsoft Azure. However, the most prevalent were hosts in India, Italy, and the US.
Thankfully, many businesses are untouched due to strict update policies. However, it only takes one weak link to cause mayhem, so you should really think about applying MS17-010 if you haven’t already.