Another large-scale, stealthy cyberattack is underway on a scale that could dwarf last week's assault on computers worldwide, a global cybersecurity firm told AFP on Wednesday. Meet Adylkuzz, the new cyberattack that "is much bigger than WannaCry." Instead of completely disabling an infected computer by encrypting data and seeking a ransom payment, Adylkuzz uses the machines it infects to "mine" in a background task a virtual currency, Monero, and transfer the money created to the authors of the virus. Proofpoint said in a blog that symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance, effects which some users may not notice immediately. "As it is silent and doesn't trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals. It transforms the infected users into unwitting financial supporters of their attackers," said Godier. Proofpoint said it has detected infected machines that have transferred several thousand dollars worth of Monero to the creators of the virus.
The firm believes Adylkuzz has been on the loose since at least May 2, and perhaps even since April 24, but due to its stealthy nature was not immediately detected. Proofpoint's vice president for email products, Robert Holmes, told AFP; "We don't know how big it is" but "it's much bigger than WannaCry",
"We have seen that before, malwares mining cryptocurrency, but not this scale," said Holmes.
It uses the hacking tools recently disclosed by the NSA "in a more stealthy manner and for a different purpose." As InfoRiskToday details, the SMB flaw (file-sharing network protocol) targeted by this Adylkuzz campaign existed in all versions of Windows since XP and came to light in April, via a dump of "Equation Group" tools released by the Shadow Brokers.
Many security experts believe the Equation Group is the National Security Agency, and that the Shadow Brokers may be part of a psychological operations campaign run by Russian intelligence.
One of the Equation Group exploits included in the April dump, called EternalBlue, is designed to exploit the SMB flaw in Windows. If successful, the Equation Group would then often install a backdoor called DoublePulsar onto the exploited endpoint to give it persistent, quiet access to the system.
Rather than freeze files demanding a ransom, Adylkuzz uses the hundreds of thousands of infected computers to mine virtual currency...
As InfoRiskToday details; The WannaCry outbreak began May 12. But Proofpoint says that the Adylkuzz campaign that targeted DoublePulsar and EternalBlue appears to have begun as early as April 24 - nearly three weeks earlier - and hasn't stopped.
"This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive," Kafeine says in a Monday blog post.
In addition, Proofpoint reports that multiple outbreaks that were attributed to the WannaCry campaign, but which involved no ransom notice, may, in fact, have instead been part of the Adylkuzz campaign.
As with WannaCry, the Adylkuzz malware first attempts to exploit a system via EternalBlue, and if successful then infects the endpoint with DoublePulsar, Kafeine says.
"Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection, Kafeine says. "It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools." Adylkuzz campaign is mining not for the world's most well-known cryptocurrency, but rather for monero...
Also known as XMR, InfoRiskToday notes the creators of the cryptocurrency claim that it's more private and difficult to trace than bitcoin. Unlike bitcoin, it also has no hardcoded block size limit, meaning that, at least in theory, an infinite amount of monero could be mined.
So far it's not clear who's behind this cryptocurrency mining operation. A version of WannaCry seen in February contains code that was used in a 2015 attack tied to Lazarus, a hacking group security experts say ties to North Korea. But anyone could have reused the 2015 code, which is publicly available, Matt Suiche, managing director at incident response firm Comae Technologies, tells Cyberscoop.
"Attribution can always be faked, as it's only a matter of moving bytes around," he says.
# As InfoRiskToday.com concludes ominously, the discovery of the cryptocurrency mining botnet shows that organizations that fail to patch their systems aren't just at risk from flashy attacks, such as WannaCry, but also stealthier attacks that don't always announce their presence....