Hacking tools of the Equation Group affiliated with the NSA began to be used to attack ordinary users. Apparently, the hackers, amateurs, armed with these exploits. The total number of infections, according to various estimates, is in the range of 15 to 41 thousand.

Serious tools fell into the hands of hacker dilettantes Over the past months, the hacker group Shadow Brokers has publicly released the tools of the infamous Equation Group, another hacker group that, according to security experts, could be linked to the US National Security Agency (NSA). At least two of these tools are already actively used by amateurs to carry out attacks.

Security expert Dan Tentler, the founder of Phobos Group, told The Register that he was able to identify several tens of thousands of machines with evidence of infection with Backpack Doublepulsar, developed by Equation. This backdoor, in turn, is installed using another tool from the same developers - the Eternalblue exploit.

This exploit attacks network protocol services for SMB remote access in Windows versions from XP to Server 2008 R2 - provided that these services are available from outside.

Microsoft has fixed a corresponding vulnerability in SMB Server (MS17-010) in March 2017. The patch was released for Windows operating systems, starting with Vista SP2 and up to Windows Server 2016 inclusive. Patches for XP and Server 2003 were not released, as their Microsoft has already withdrawn from support.

Scope of the problem.

According to Tentler, last Thursday he used the search engine Shodan. Io revealed more than 15 thousand. Infection, four fifths of which fall on IP-addresses in the US. With each new scan, the number of infections increases. The system attacked by Doublepulsar can be identified by an answer to a special PING request to port 445.

According to Tentler, the increase in the number of infections means that hackers and amateurs armed with other people's tools and began to infect everyone around them. And 15 thousand. Infection is also the "lower threshold" of evaluation. Tentler's colleague on the shop, expert Robert Graham (Robert Graham) found more than 41 thousand. Infected hosts, and this is most likely not the end.

"Nothing surprising in that amateurs grabbed for the former" toys "Equation, no, - says Ksenia Shilak, sales director of SEC-Consult Rus. - But this is a very unpleasant development of events: an amateur who is armed with an effective instrument of hacking is more dangerous than an amateur unarmed. The number of successful infections in general is also not surprising: user "carelessness" with respect to cybersecurity is an objective factor that must be considered: both the cyber defense industry and software developers ".

"Other people's toys".

In 2015 year. Kaspersky Lab published a study devoted to EquationGroup, which stated that this group "has been interacting with other influential groups for many years, for example, with those behind Stuxnet and Flame, each time from a position of superiority: Equation has always had access to exploits Zero day ahead of other groups ".

TheShadowBrokers grouping in August 2016. Announced that she managed to steal a number of EquationGroup tools, and tried to put them on auction. Since there were no people willing to pay for the cat, the brokers started publishing these exploits in the public domain (this suggests that the distribution of this tool was the main goal of the brokers).

Experts who analyzed the published exploits of Shadow Brokers agreed on the high quality of malicious software Equation. As it is easy to see, they are still very effective, despite the fact that software vendors quickly release patches for all the vulnerabilities to which Equation had exploits.