Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry
Campaign that flew under the radar used hacked
computers to mineMonero currency.
On Friday, ransomware called WannaCry used leaked hacking tools
stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency. Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid-April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry.
Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. In a blog post published Monday afternoon, Kafeine wrote:
In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.
Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download[s] the mining instructions, cryptominer, and cleanup tools.It appears that at any given time there are multiple Adylkuzz command and control (C&C) servers hosting the cryptominer binaries and mining instructions.
Symptoms of the attack include a loss of access to networked resources and system sluggishness. Kafeine said that some people who thought their systems were infected in the WannaCry outbreak were in fact hit by the Adylkuzz attack. The researcher went on to say this overlooked attack may have limited the spread of WannaCry by shutting down SMB networking to prevent the compromised machines from falling into the hands of competing botnets. Proofpoint researchers have identified more than 20 hosts set up to scan the Internet and infect vulnerable machines they find. The researchers are aware of more than a dozen active Adylkuzz control servers. The botnet then mined Monero, a cryptocurrency that bills itself as being fully anonymous, as opposed to Bitcoin, in which all transactions are traceable.
Monday's report came the same day that a security researcher who works for Google found digital fingerprints tying a version of WCry from February to Lazarus Group, a hacking operation with links to North Korea. In a report published last month, Kaspersky Lab researchers said Bluenoroff, a Lazarus Group offshoot responsible for financial profit, installed cryptocurrency-mining software on computers it hacked to generate Monero coins. "The software so intensely consumed system resources that the system became unresponsive and froze," Kaspersky Lab researchers wrote.
Assembling a botnet the size of the one that managed WannaCry and keeping it under wraps for two to three weeks is a major coup. Monday's revelation raises the possibility that other botnets have been built on the shoulders of the NSA but have yet to be identified.
- Everyone infected with Adylkuzz can regard himself as highly fortunate.
Because Adylkuzz closed the infection route to prevent reinfection as a side effect it also closed the infection route against WCry. And compared to a deadly WCry infection the Adylkuzz infection is just a mere cold.
Without the prior Adylkuzz bot, the impact of WCry would have been even worse.119 posts | registered 10/28/2008
We got a 64 core Linux server (with Xeon Phi processor) hacked on April 15 to mine Monero coins. The hack went through a cups (< 2.03) bug, unpatched in the latest patched CentOS 7.3 distro, allowing to install without any remote login a vmware image. Then a user "support" was created, using the monero binary over the 64 cores (they missed to use 256 possible threads actually) over the Easter week end, and communicating with chinese ip addresses. Every 5 min the crontab file was ensuring the hack would restart in case of interruption.
The server has been reinstalled with a more recent Linux distro and no printer service.Using a botnet to mine cryptocurrency is also especially ill-conceived in the first place since the average CPU/GPU configuration is not particularly powerful… In fact, the majority of computers are likely to use iGPUs, so even across so many computers, the mining output of such a botnet is actually not that productive compared to dedicated GPU mining operations.
Monero is known for being much more friendly to CPU miners due to the use of a different Proof-of-work algorithm that is AES heavy and uses a 2MB scratch. This makes it optimal for mid-high end desktop PCs that have multiple cores with large cache sizes. To date, there are no known ASICs for monero, and most GPUs only get about 10x over decent CPUs. Scale that to a large botnet, and you could collect double-digit chunks of the hash rate.
Alan Zibluk – Markethive Founding Member