link1988 link1989 link1990 link1991 link1992 link1993 link1994 link1995 link1996 link1997 link1998 link1999 link2000 link2001 link2002 link2003 link2004 link2005 link2006 link2007 link2008 link2009 link2010 link2011 link2012 link2013 link2014 link2015 link2016 link2017 link2018 link2019 link2020 link2021 link2022 link2023 link2024 link2025 link2026 link2027 link2028 link2029 link2030 link2031 link2032 link2033 link2034 link2035 link2036 link2037 link2038 link2039 link2040 link2041 link2042 link2043 link2044 link2045 link2046 link2047 link2048 link2049 link2050 link2051 link2052 link2053 link2054 link2055 link2056 link2057 link2058 link2059 link2060 link2061 link2062 link2063 link2064 link2065 link2066 link2067 link2068 link2069 link2070 link2071 link2072 link2073 link2074 link2075 link2076 link2077 link2078 link2079 link2080 link2081 link2082 link2083 link2084 link2085 link2086 link2087 link2088 link2089 link2090 link2091 link2092 link2093 link2094 link2095 link2096 link2097 link2098 link2099 link2100 link2101 link2102 link2103 link2104 link2105 link2106 link2107 link2108 link2109 link2110 link2111 link2112 link2113 link2114 link2115 link2116 link2117 link2118 link2119 link2120 link2121 link2122 link2123 link2124 link2125 link2126 link2127 link2128 link2129

Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry

Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry

Campaign that flew under the radar used hacked
computers to mine
Monero currency.

  

On Friday, ransomware called WannaCry used leaked hacking tools

stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency. Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid-April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry.

Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. In a blog post published Monday afternoon, Kafeine wrote:

In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download[s] the mining instructions, cryptominer, and cleanup tools.It appears that at any given time there are multiple Adylkuzz command and control (C&C) servers hosting the cryptominer binaries and mining instructions.

Symptoms of the attack include a loss of access to networked resources and system sluggishness. Kafeine said that some people who thought their systems were infected in the WannaCry outbreak were in fact hit by the Adylkuzz attack. The researcher went on to say this overlooked attack may have limited the spread of WannaCry by shutting down SMB networking to prevent the compromised machines from falling into the hands of competing botnets. Proofpoint researchers have identified more than 20 hosts set up to scan the Internet and infect vulnerable machines they find. The researchers are aware of more than a dozen active Adylkuzz control servers. The botnet then mined Monero, a cryptocurrency that bills itself as being fully anonymous, as opposed to Bitcoin, in which all transactions are traceable.

Monday's report came the same day that a security researcher who works for Google found digital fingerprints tying a version of WCry from February to Lazarus Group, a hacking operation with links to North Korea. In a report published last month, Kaspersky Lab researchers said Bluenoroff, a Lazarus Group offshoot responsible for financial profit, installed cryptocurrency-mining software on computers it hacked to generate Monero coins. "The software so intensely consumed system resources that the system became unresponsive and froze," Kaspersky Lab researchers wrote.

Assembling a botnet the size of the one that managed WannaCry and keeping it under wraps for two to three weeks is a major coup. Monday's revelation raises the possibility that other botnets have been built on the shoulders of the NSA but have yet to be identified.

Promoted Comments

  • Everyone infected with Adylkuzz can regard himself as highly fortunate.
    Because Adylkuzz closed the infection route to prevent reinfection as a side effect it also closed the infection route against WCry. And compared to a deadly WCry infection the Adylkuzz infection is just a mere cold.
    Without the prior Adylkuzz bot, the impact of WCry would have been even worse.
    119 posts | registered 10/28/2008
  • We got a 64 core Linux server (with Xeon Phi processor) hacked on April 15 to mine Monero coins. The hack went through a cups (< 2.03) bug, unpatched in the latest patched CentOS 7.3 distro, allowing to install without any remote login a vmware image. Then a user "support" was created, using the monero binary over the 64 cores (they missed to use 256 possible threads actually) over the Easter week end, and communicating with chinese ip addresses. Every 5 min the crontab file was ensuring the hack would restart in case of interruption.

    The server has been reinstalled with a more recent Linux distro and no printer service.Using a botnet to mine cryptocurrency is also especially ill-conceived in the first place since the average CPU/GPU configuration is not particularly powerful… In fact, the majority of computers are likely to use iGPUs, so even across so many computers, the mining output of such a botnet is actually not that productive compared to dedicated GPU mining operations.

    Monero is known for being much more friendly to CPU miners due to the use of a different Proof-of-work algorithm that is AES heavy and uses a 2MB scratch. This makes it optimal for mid-high end desktop PCs that have multiple cores with large cache sizes. To date, there are no known ASICs for monero, and most GPUs only get about 10x over decent CPUs. Scale that to a large botnet, and you could collect double-digit chunks of the hash rate.

    Chuck Reynolds
    Contributor
    Please click either Link to Learn more about –
    TCC-Bitcoin.

Alan Zibluk Markethive Founding Member