From: Virus Guy <Virus@Guy.C0M>

NSA DoublePulsar malware has infected 36,000 computers

http://techgenix.com/nsa-doublepulsar-malware...

A report by BleepingComputer's Catalin Cimpanu, using research from the
cybersecurity firm Below0Day, has identified a large number of
infections stemming from an NSA-developed malware downloader. Called
DoublePulsar, the malware was first identified in the most recent Shadow
Brokers dump of ôimplants.ö DoublePulsar functions as a malware and
exploit downloader. Once it infects a system, DoublePulsar then begins
to download and install various powerful strains of malware via
exploits. Such exploits created by the NSA that are found in
DoublePulsar include EternalBlue, EternalChampion, EternalSynergy,
EternalRomance, EmeraldThread, or EducatedScholar.

https://www.bleepingcomputer.com/news/securit...
ith-nsas-doublepulsar-malware/

These exploits target, as was pointed out by Cimpanu, SMB port 445
connections related to Microsoft Windows. Microsoft, to its credit, did
in fact release patches to block the NSA malware from utilizing
exploits. The problem is, however, that security researchers at
Below0Day discovered numerous computers already infected with
DoublePulsar.

To discover the DoublePulsar infection, Below0Day researchers scanned
roughly 5.5 million externally exposed SMB ports that, if their Windows
OS is unpatched, would be susceptible to the malware. Next, the team
took those IP addresses used in the initial scan and utilized a tool
created by Luke Jennings of Countercept. As explained by Jennings, the
tool is ôa set of python2 scripts for sweeping a list of IPs for the
presence of both SMB and RDP versions of the DoublePulsar implant.ö

https://github.com/countercept/doublepulsar-d...

Upon utilizing this tool, Below0Day uncovered over 36,000 computers that
had been infected with DoublePulsar. Of these 36,000-plus infections,
the majority of them were in the United States. See the below images
from Below0Day to find both an example of the scan results, as well as
an in-depth graph showing the countries most affected by DoublePulsar.

http://techgenix.com/tgwordpress/wp-content/u...
rt.jpg

(interestingly, none appear to be in Canada)

Some have taken me to task in my frequent critiques of government
hacking operations. As a journalist, I am used to calls of treason or,
as happened recently much to my amusement, being accused of working as a
Russian operative. At the end of the day, however, my strong critiques
stem from an InfoSec perspective.

As seen from empirical evidence, the various NSA hacking tools (in this
case DoublePulsar) have fallen into numerous hands, most certainly
including black-hat hackers. In its reckless deployment of malware that
nobody should have in their possession, the NSA has placed the entire
world at risk for a powerful set of cyberattacks. The NSA's main mission
is reconnaissance of all kinds, especially sensitive data (which is
obtained at all costs, civil liberties be damned).

With this in mind, imagine just how deeply compromised a system can
become if these tools fall into the wrong hands. While the NSA swears
that it is simply trying to protect the United States, the greatest
irony is that the majority of the 36,000 DoublePulsar infections were
based in America. I doubt this was the NSA's doing based on the IP
addresses used, but rather black hats who illegally obtained the
malware.

The NSA, and all other entities in the global intelligence community,
must rethink how they obtain information in the digital age.
--- NewsGate v1.0 gamma 2
 * Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)