Recent reports indicate a new wave of footprinting and implantation by a modified version of DoublePulsar, an alleged NSA tool leaked by the Russian affiliated Shadow Brokers. This research indicates that malicious actors are actively probing for and exploiting Windows embedded systems, or Windows IoT, which is a version of Microsoft Windows designed to run under smaller devices with less powerful processors.
Based on previous JASK research into EternalBlue/DoublePulsar, server message block (SMB) services are actively targeted for the mass exploitation of vulnerable devices with a backdoor usually being implanted on victim machines. 2017 Internet scanning reports indicated more than 300K of infected machines.
This new modification of DoublePulsar adds capability to potentially exploit a significant number of previously untargetable Windows IoT devices, which can be added to malicious actors resources in order to pursue further criminal activity. The below screenshot shows a large number of SMB 1 potentially vulnerable hosts; the addition of Windows IoT devices significantly increases the number of potentially vulnerable devices.
Figure 1.s shows Shodan search for SMB 1 Windows hosts.
Below a simple replication of DoublePulsar implantation using this time a version of Windows 7 Embedded (POSReady7) and fuzzbunch.
Figure 2. shows lab target. Windows 7 POS Embedded
The next screen capture shows how Fuzzbunch successfully uses EternalBlue to exploit and implant DoublePulsar backdoor. This backdoor allows malicious actors to execute further post exploitation payloads.
Figure 3. shows successful EternalBlue exploitation
Figure 4. shows successful Fuzzbunch DoublePulsar detection
JASK SpecOps recommends to scan, detect and patch any exposed Windows IoT device, as it is at risk of immediate exploitation. A number of “how to’s” are publicly available on the Internet, which will facilitate malicious actors adoption and drive for exploitation.
JASK Research team has previously produced a very detailed outline of how ASOC can detect eternalblue exploitation and doublepulsar infection. Below an example of SMB exploit detection via ASOC investigation features.
Figure 5. shows potentially suspicious SMB commands in ASOC Investigator (Zeppelin)
Figure 6. shows devices executing potentially suspicious SMB commands in ASOC Investigator (Zeppelin)