EternalPulsar — A weekend with the NSA’s finest

Oh boy it’s been another fun weekend in the cyber security community. On Friday a group known as ShadowBrokers released a dump of tools and documents used by the TAO (Tailored Access Operations), the NSA’s Cyber Warfare group. This dump included a set of previously unknown exploits and backdoor applications targeting windows systems from Windows XP to Windows Server 2008 and Windows 7.

Initially the threat posed by these exploits was much greater, several experienced members of the community had tested and identified that it was possible that Windows 10 (the most current version) was also vulnerable to EternalBlue, which is the exploit version that targets the most up to date operating systems. Luckily after some testing by @HackerFantastic this was disproven and the immediate panic slightly reduced.

The total current count of exploits and tools released in this dump sits around 34. Exploits for everything from windows operating systems to web servers, mail servers and other applications were included.

In addition there was an exploitation framework and callback application included in the release. These were: FuzzBunch, DanderSpritz / PebbleCheap. We’ll go through them in detail as they form an exceptionally powerful trifecta when used properly and could end up becoming a new tool for penetration testers and security experts if properly maintained and cared for.

So what we have -as above - is:

FuzzBunch — An exploitation framework very similar to MetaSploit, allowing for the creation and activation of exploits, back-doors and information gathering tools. Some of the notable examples of this are EternalBlue (An exploit targeting windows XP through 7) and DoublePulsar a backdoor inject that can be used to launch malicious payloads.

DanderSpritz / PebbleCheap— A Java application that is essentially used as a command center, it can receive reverse connections from PebbleCheap payloads and automatically logs all actions taken within it presumably for accurate record keeping. It also handles the creation of payloads that can be used within FuzzBunch ( For those unfamiliar with this process: Exploit deposits Dropper which then loads Payload.)

I will be going into the further details and practical examples of this process in another article, but the combination of EternalBlue, DoublePulsar and the Meterpreter environment (Metasploit’s exploit generation tool) makes for a very simple and quite frightening setup. It results in almost one button exploitation for unpatched windows servers. It’s also my loving name for this particular trio ‘EternalPulsar’.

Currently the known impact of these exploits is luckily not as large as originally believed. Microsoft released a critical patch on the 14th March (A patch day that was delayed by Microsoft for a month with absolutely no explanation) which addressed these vulnerabilities on supported operating systems (anything newer than Windows VistaSP2).

Unfortunately these patches were not released as well as possible by Microsoft. As a result many people will be yet to apply them. This is especially true in corporate environments where patches are often delayed by a month, or not installed at all due to issues surrounding restarting production machines or under-staffing to mention a few. Appropriate patching has forever been an issue in security and its highly unlikely that is going to change any time soon.

Herein lies the ongoing impact of these exploits that is going to resound in the industry for many years to come. People are bad at patching, no, sorry, people are god awful at patching. In a few months these will be a small memory after the next fun weekend, and sysadmins will continue to spin up or run default Server 2008 instances or Windows 7 desktops — Don’t say they wont, last I checked some parts of the NHS are still using XP or were until very recently — which will all be vulnerable to these exploits. This one isn’t over. Not even close.

If there is one thing I could ask you to take away from this, it’s PATCH. If you’re not going to do it right now, think about why you’re not. If you can’t take that one box down to patch it, what happens when it falls over or worse, gets popped.

Special thanks to @HackerFantastic and @MisterCh0c for their badass work this weekend which allowed the rest of us to fiddle to our hearts content!