> Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry > > Campaign that flew under the radar used hacked computers to mine > Monero currency. > > On Friday, ransomware called WannaCry used leaked hacking tools stolen > from the National Security Agency to attack an estimated 200,000 > computers in 150 countries. On Monday, researchers said the same > weapons-grade attack kit was used in a much-earlier and possibly > larger-scale hack that made infected computers part of a botnet that > mined cryptocurrency. > > Like WannaCry, this earlier, previously unknown attack used an exploit > codenamed EternalBlue and a backdoor called DoublePulsar, both of > which were NSA-developed hacking tools leaked in mid April by a group > calling itself Shadow Brokers. But instead of installing ransomware, > the campaign pushed cryptocurrency mining software known as Adylkuzz. > WannaCry, which gets its name from a password hard-coded into the > exploit, is also known as WCry. > > Kafeine, a well-known researcher at security firm Proofpoint, said the > attack started no later than May 2 and may have begun as early as > April 24. He said the campaign was surprisingly effective at > compromising Internet-connected computers that have yet to install > updates Microsoft released in early March to patch the critical > vulnerabilities in the Windows implementation of the Server Message > Block protocol. In a blog post published Monday afternoon, Kafeine wrote: > >> In the course of researching the WannaCry campaign, we exposed a lab >> machine vulnerable to the EternalBlue attack. While we expected to >> see WannaCry, the lab machine was actually infected with an >> unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. >> We repeated the operation several times with the same result: within >> 20 minutes of exposing a vulnerable machine to the open web, it was >> enrolled in an Adylkuzz mining botnet. >> >> Figure 1: EternalBlue/DoublePulsar attack from one of several >> identified hosts, then Adylkuzz being downloaded from another host - >> A hash of a pcap of this capture is available in the IOCs table. >> >> The attack is launched from several virtual private servers which >> are massively scanning the Internet on TCP port 445 for potential >> targets. >> >> >> Upon successful exploitation via EternalBlue, machines are infected >> with DoublePulsar. The DoublePulsar backdoor then downloads and runs >> Adylkuzz from another host. Once running, Adylkuzz will first stop >> any potential instances of itself already running and block SMB >> communication to avoid further infection. It then determines the >> public IP address of the victim and download[s] the mining >> instructions, cryptominer, and cleanup tools. >> >> It appears that at any given time there are multiple Adylkuzz command >> and control (C&C) servers hosting the cryptominer binaries and mining >> instructions. >> >> Figure 2 shows the post-infection traffic generated by Adylkuzz >> in this attack. > > > Symptoms of the attack include a loss of access to networked resources > and system sluggishness. Kafeine said that some people who thought > their systems were infected in the WannaCry outbreak were in fact hit > by the Adylkuzz attack. The researcher went on to say this overlooked > attack may have limited the spread of WannaCry by shutting down SMB > networking to prevent the compromised machines from falling into the > hands of competing botnets. > > Proofpoint researchers have identified more than 20 hosts set up to > scan the Internet and infect vulnerable machines they find. The > researchers are aware of more than a dozen active Adylkuzz control > servers. The botnet then mined Monero, a cryptocurrency that bills > itself as being fully anonymous, as opposed to Bitcoin, in which all > transactions are traceable. > > Monday's report came the same day that a security researcher who works > for Google found digital fingerprints tying a version of WCry from > February to Lazarus Group, a hacking operation with links to North > Korea. In a report published last month, Kaspersky Lab researchers > said Bluenoroff, a Lazarus Group offshoot responsible for financial > profit, installed cryptocurrency-mining software on computers it > hacked to generate Monero coins. "The software so intensely consumed > system resources that the system became unresponsive and froze," > Kaspersky Lab researchers wrote. > > Assembling a botnet the size of the one that managed WannaCry and > keeping it under wraps for two to three weeks is a major coup. > Monday's revelation raises the possibility that other botnets have > been built on the shoulders of the NSA but have yet to be identified. >
With links: https://arstechnica.com/security/2017/05/massive-cryptocurrency-botnet-used-leaked-nsa-exploits-weeks-before-wcry/