Massive Cryptocurrency Malware Campaign Blocked SMB Flaw, Blunting WannaCry
Weeks before the WannaCry outbreak, other attackers unleashed malware that also targeted the server messaging block flaw in Windows. But this attack campaign, instead of installing ransomware – like WannaCry’s operators – instead exploited the SMB flaw to install cryptocurrency mining malware named Adylkuzz.
See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry
As a side effect, the malware also blocked any other attack code from exploiting the SMB flaw to gain a presence on the endpoint, which may have blunted the impact of Friday’s WannaCry outbreak.
So says “Kafeine,” a malware researcher with security firm Proofpoint, who reports that they have identified at least 20 hosts being used to scan for potentially vulnerable systems via TCP port 445 and launch related attacks, and 12 command-and-control servers for controlling infected endpoints. But the security firm says the actual attack infrastructure is likely much larger.
Proofpoint first discovered the Adylkuzz campaign after leaving a virtual machine, running a version of Windows vulnerable to the SMB flaw, connected to the internet. Just 20 minutes later, it reports, the endpoint had been infected with Adylkuzz. Several repeat experiments, it says, produced the same results.
It’s not clear how many endpoints have been infected by the Adylkuzz mining botnet, which attackers are using to mine for cryptocurrency called monero. Mining refers to the practice of generating new cryptocurrency, which requires solving computationally intensive operations, after which miners have a chance of being rewarded with the new currency that has been generated. Doing mining profitably and legitimately typically requires investing in high-end, dedicated mining rigs.
Criminals, of course, are always looking for ways to make a fast buck, and that’s given rise to mining malware such as Adylkuzz, which presses infected endpoints into the service of a cryptocurrency mining botnet. Instead of using dedicated hardware, related operations get distributed to what may be thousands of infected endpoints’ processors.
The discovery of the cryptocurrency mining botnet shows that organizations that fail to patch their systems aren’t just at risk from flashy attacks, such as WannaCry, but also stealthier attacks that don’t always announce their presence.
The SMB flaw targeted by this Adylkuzz campaign existed in all versions of Windows since XP and came to light in April, via a dump of “Equation Group” tools released by the Shadow Brokers.
Microsoft quietly patched the SMB flaw in all supported operating systems in March. After the WannaCry outbreak began Friday, however, Microsoft that night released free, emergency patches for Windows XP, Windows Server 2003 and Windows 8 users. Prior to that, the patches had only been available for customers who paid for pricey extended-support contracts for the operating systems, for which Microsoft has ceased providing mainstream support.
Many security experts believe the Equation Group is the National Security Agency, and that the Shadow Brokers may be part of a psychological operations campaign run by Russian intelligence.
One of the Equation Group exploits included in the April dump is called EternalBlue and is designed to exploit the SMB flaw in Windows. If successful, the Equation Group would then often install a backdoor called DoublePulsar onto the exploited endpoint, to give it persistent, quiet access to the system in the future.
The WannaCry attacks used a worm that looked for the presence of DoublePulsar on an endpoint, and then used it to install WannaCry ransomware. If that backdoor was not present, then the worm attempted to exploit EternalBlue – the SMB flaw – to access the system and install ransomware. Once the ransomware infected a system, it could then spread to other endpoints on the same network.
Adylkuzz Campaign Continues
The WannaCry outbreak began May 12. In comparison, Proofpoint says that the Adylkuzz campaign that targeted DoublePulsar and EternalBlue appears to have begun as early as April 24 – nearly three weeks earlier – and hasn’t stopped.
“This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive,” Kafeine says in a Monday blog post.
“Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance,” Kafeine adds. In addition, Proofpoint reports that multiple outbreaks that were attributed to the WannaCry campaign, but which involved no ransom notice, may in fact have instead been Adylkuzz campaign.
As with WannaCry, the Adylkuzz malware first attempts to exploit a system via EternalBlue, and if successful then infects the endpoint with DoublePulsar, Kafeine says. “Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection, Kafeine says. “It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.”
Cryptomining for Monero
This Adylkuzz campaign is mining not for the world’s most well-known cryptocurrency, but rather for monero.
Also known as XMR, the creators of the cryptocurrency claim that it’s more private and difficult to trace than bitcoin. Unlike bitcoin, it also has no hardcoded block size limit, meaning that – at least in theory – an infinite amount of monero could be mined.
Crytptocurrency options abound. But monero got a boost last year, when the operators of the darknet marketplace Alphabay announced on Reddit that as of Sept. 1, 2016, they would begin allowing monero deposits and withdrawals.
“Following the demand from the community, and considering the security features of monero, we decided to add it to our marketplace,” they wrote.
Some ransomware attackers have begun to demand monero for ransom payments, rather than bitcoins. One example is the trekker-themed Kirk ransomware discovered in March (see Star Trek Ransomware Boldly Encrypts).
Currently, it’s more processor-efficient to mine for monero than bitcoin, based on the processing power required.
On the Coinwarez list of cryptocurrency profitability, for example, Monero ranks 20th, and has an estimated $6.34 in daily revenue versus $4.90 in profit, with $1.44 lost to electricity costs. Bitcoin, meanwhile, is currently ranked 41st on the list of profitability, generating an estimated $7.58 in revenue but only $1.34 in profit, with $6.24 lost to electricity.
Those figures scale to the amount of processing power that miners devote to solving related mathematical challenges. They also highlight that new bitcoin blocks have become quite computationally intensive to solve, demanding a much greater amount of processing power – and thus electricity – than other types of mining.
Takeaway: Patch or Perish
The choice of monero for this Adylkuzz cryptocurrency mining botnet’s operations aside, the campaign is a reminder that organizations running applications and operating systems that don’t have the latest software updates or security fixes remain at risk from enterprising attackers.
“Whether they involve ransomware, cryptocurrency miners, or any other type of malware, these attacks are potentially quite disruptive and costly,” Kafeine says. “Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and individuals patch their machines as soon as possible.”