The ransomware attack that stormed the world over the past several days wasn’t the first to leverage the leaked EternalBlue/DoublePulsar NSA hacking tools for distribution, Proofpoint researchers have discovered.
WannaCry might have gained everyone’s attention because of its destructive potential, but credit to being the first to use the EternalBlue exploit abusing a Server Message Block (SMB) vulnerability on TCP port 445 should go to the cryptocurrency miner Adylkuzz, Proofpoint says.
Similar to WannaCry, the attack leverages the EternalBlue exploit to rapidly propagate from machine to machine, along with the NSA backdoor called DoublePulsar which is used to install a malicious payload on compromised machines.
Symptoms of infection, however, aren’t as visible as with WannaCry: loss of access to shared Windows resources and degradation of PC and server performance. What’s more, the malicious code also shuts down SMB networking to prevent infections with other malware.
According to ProofPoint security researcher Kafeine, this attack might have been much larger than the ransomware outbreak. Furthermore, Kafeine suggests that, because Adylkuzz specifically patched the vulnerability targeted by WannaCry, it might have limited the latter’s infection.
What is certain, however, is that “the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24.” Kafeine also notes that the infection is ongoing and is potentially quite disruptive, although not as flashy as the ransomware rampage.
The Adylkuzz attack is launched from several virtual private servers. EternalBlue is abused for compromise, then the DoublePulsar backdoor is installed to download and run Adylkuzz from another host. Once up and running, the cryptocurrency miner first stops any potential instances of itself and blocks SMB communication to avoid further infection.
Next, the malware determines the public IP address of the victim and then downloads the mining instructions, the cryptominer, and cleanup tools. As it turns out, the cryptominer binaries and mining instructions are hosted on multiple command and control (C&C) servers at the same time.
As part of this attack, Adylkuzz is mining for Monero, a cryptocurrency that saw a surge in activity after the AlphaBay darknet market adopted it last year: BondNet, a Monero-mining botnet that has been active since December 2016, was detailed recently, the Sundown exploit kit was previously dropping a Monero miner, and a Go-based miner was seen last year targeting Linux systems.
Unlike Bitcoin, which now generally requires dedicated, high-performance machines, the Monero mining process can be easily distributed across a botnet, Kafeine explains.
Mining payments associated with an Adylkuzz address suggests the attacks started on April 24. On May 11, the actor supposedly switched to a new mining user address, to avoid having too many Moneros paid to a single address. Three observed addresses received around $43,000 in payments, the researcher says.
“We have currently identified over 20 hosts set up to scan and attack, and are aware of more than a dozen active Adylkuzz C&C servers. We also expect that there are many more Monero mining payment addresses and Adylkuzz C&C servers associated with this activity,” Kafeine notes.
The SMB vulnerability that both WannaCry and Adylkuzz abuse has been addressed by Microsoft in March 2017, and also resolved on unsupported platforms via an emergency patch released over the weekend. Installing these patches should prevent the malware from spreading further.
In the meantime, security researchers apparently linked the WannaCry attacks to the North Korea-linked hacking group Lazarus and suggest that more attacks might follow. Although the attacks have slowed down significantly as of Monday, even industrial systems might be at risk, experts warn.
In the light of these attacks, installing the latest Windows patches might have never been a better course of action.
“For organizations running legacy versions of Windows or who have not implemented the SMB patch that Microsoft released last month, PCs and servers will remain vulnerable to this type of attack. Whether they involve ransomware, cryptocurrency miners, or any other type of malware, these attacks are potentially quite disruptive and costly. Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and individuals patch their machines as soon as possible,” Kafeine says.