New Cryptomining Threat Could Overshadow #WannaCry

Security experts are warning of a potentially larger scale malware campaign than WannaCry making use of the same NSA exploits to install cryptocurrency miner Adylkuzz.

This campaign – which actually predates WannaCry by at least a fortnight and possibly more – was spotted by Proofpoint, which said it’s being launched from multiple virtual private servers scanning the internet on a massive scale for targets on TCP port 445.

It explained in a blog post:

“Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.”

Ironically, this malware campaign might actually have saved many organizations from WannaCry by virtue of the fact it blocks SMB communication to prevent further malware infection, the vendor claimed.

The good news is that victims aren’t locked out of their machines as with WannaCry. Instead, the Adylkuzz malware will conscript said machines into a botnet designed to mine Monero cryptocurrency.

This means PCs and servers might run considerably slower than they would normally.

As to the scale of the threat, Proofpoint claimed to have identified over 20 hosts designed to scan and launch attacks, and more than 12 active Adylkuzz C&C servers.

It added that “initial statistics” suggest Adylkuzz could be bigger than WannaCry – again partly thanks to its shutting down SMB networking – affecting hundreds of thousands of PCs and servers worldwide.

The advice, as with WannaCry, is to patch the SMB bug as soon as possible.

The bad news is that more attacks are likely to follow these two, exploiting the same vulnerabilities, warned Proofpoint.

Brian Vecci, technical evangelist at Varonis, argued that the potential is there for black hats to craft covert attacks which could be far more harmful to firms.

“Even with Adylkuzz, the loss of a few thousand Moneros is nothing compared to the APT who plays the long game with DoublePulsar and EternalBlue and stealthily surveys and cherry picks all the health records, student records, intellectual property and incriminating emails they can get their hands on,” he explained.

"WannaCry changed the world and proved that the illusion of the security perimeter is over. Basic controls, continuous monitoring, and data analytics will be critical.”

What’s Hot on Infosecurity Magazine?