2

NSA DoublePulsar exploit in Nepal cyberspace

All the talk of NSA hacking tool recently released by Shadow Brokers is taking the whole world and especially the cyber security community by storm. These state level hacking tools allegedly used by the NSA-affiliated equation group has been in the limelight after it has been released to the public after an unsuccessful attempt of high profile auction. This release from Shadow Brokers contains a treasure trove of hacking tools and exploits pertaining to multiple systems.

The release of this proportion containing huge numbers of zero-day exploits has made high powered hacking tools easily accessible to malicious actors and script kiddies. The presence of such powerful tools in the hands of malicious actors and threat agents is a serious risk to computer systems. The use of these tools for exploitation has been increasing exponentially as expected. Increasing amount of devices exploited using these exploits have been detected in international cyberspace.

DOUBLEPULSAR a stealthy kernel-mode payload used as the default implant payload for multiple windows based exploit infects the RDP and SMB services. This implant can be detected with a python script developed by Countercept. The number of devices infected can help us gauge the use of the exploits. According to Below0day, 56,586 hosts with DOUBLEPULSAR SMB implant were detected in the international cyberspace as of April 21st.

Status of these exploits in Nepal

When we read the article from Below0day, we were curious about the effect of these exploits in Nepal cyberspace. We scanned for hosts with open SMB port and open RDP port active within Nepal. On 24th April morning, we analyzed the obtained hosts and checked them for DOUBLEPULSAR implants with the script from Countercept. We found 14 hosts infected with DOUBLEPULSAR SMB implants within Nepal cyberspace while no hosts were found to be infected with DOUBLEPULSAR RDP implants. On our second sweep, we found an increased 17 hosts affected with DOUBLEPULSAR SMB implants and the result with DOUBLEPULSAR RDP implants was the same as before. This number is quite foreboding as it is almost 10% of the vulnerable host present in Nepal cyberspace and we can be sure the numbers will increase in future scans.

SMB implant detected

This is a representation of how the Nepal cyberspace is affected by newly emerging threats. With ever increasing number of infections and many such exploits in the wild, we should be careful and take protective steps. Microsoft has released security patches to address many of the security holes exposed by these 0day exploits. Be sure to patch your system keep your systems updated. But as with the case of similar previous exploits, we can be sure to observe the presence of these exploits for a long time to come. So, the effect of these exploits is far-reaching and persistent.