Memset Security have noticed an increase in SMB-related compromises on Windows servers with SMB (Port 445) open to the public. This has been as a result of the alleged NSA-related Shadow Broker exploit kit leaks.
Whilst all of the exploits contained within the Shadow Broker leak are interesting, we have detected numerous compromised Windows servers running the Double Pulsar injection system. Double Pulsar can be used to stealthily inject a wide range of attack tools into a compromised server, including;
- rootkits that can turn your server into a botnet member
- keyloggers and data exfiltration systems to steal your and your customers’ credentials and sensitive data
Fortunately, the exploits within the Shadow Broker leak have patches available, so the best defence is to ensure that all servers are fully patched and up to date. As an additional defence, we recommend that SMB (Port 445) is never open to the internet and is appropriately filtered by your Memset or local firewall.