As the world reels from the WannaCry ransomware attack, it’s now emerged that a second, potentially larger attack, is already under way. It seems the widespread proliferation of military-grade cyberweapons has ushered in a new era of digital crime.
Cyber bandits have again deployed both the EternalBlue and DoublePulsar exploits developed and used by the NSA which were released by the ShadowBrokers hackers back in April.
“Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection,” wrote a security researcher who goes by the alias Kafeine at cybersecurity company Proofpoint.
This latest attack uses the two exploits to install the cryptocurrency miner Adylkuzz over corporate Local Area and wireless networks but, rather curiously, may actually have helped slow the spread of WannaCry.
However, in an apparent case of “picking your poison,” the Adylkuzz miner dramatically slows PC and server performance as it extracts cryptocurrency but it does not lock users out of their machines and data, as WannaCry did.
Researchers at Proofpoint estimate that the Adylkuzz attack may have begun as early as April 24 but was subsequently overshadowed in the hysteria that followed the WannaCry ransomware attacks.
The attack is launched from multiple virtual private servers which scour the internet for vulnerabilities to install the Adylkuzz miner.
The malware infection occurs as follows:
The EternalBlue exploit opens the door for infection with DoublePulsar on a target machine. DoublePulsar then downloads and runs Adylkuzz on the computer.
Adylkuzz then stops any preexisting versions of itself on a target machine, while also blocking SMB network communications with other machines to prevent any further malware infections from disrupting its operations. It initially prevents cybersecurity professionals from identifying that there is a problem.
Once the door has been held open and detection risks have been minimized, Adylkuzz then downloads mining instructions, the cryptocurrency miner itself and a variety of cleanup tools to mask its activities.
While the term cryptocurrency is typically associated with Bitcoin, Adylkuzz actually mines Monero, a similar but more heavily encrypted digital currency. Monero recently saw a significant uptick in usage after it was adopted in the AlphaBay market on the Dark Web.
During its research, Proofpoint identified three addresses which had already generated $7,000, $14,000 and $22,000 respectively, before being shut down.
To cover their tracks, whoever is behind the attack regularly changes the online payment address to avoid attracting too much attention.
As in the case of the WannaCry attack, hackers have leveraged the NSA’s weaponized exploits of legacy Microsoft operating systems to infect hundreds of thousands of machines worldwide with malware. Since the Shadow Brokers’ leak of these NSA exploits there have been two high profile attacks with many more expected in the future.