More than 400,000 computers wrldwide have been infected with WannaCry ransomware since the beginning of the devastating attack on May 12th, 2017. WannaCry has compromised standalone and networked Windows computers, at home and in the enterprise. The initial attack was made possible because of EternalBlue, the vulnerability exposed by the Shadow Brokers, an anonymous group who claim they will expose more zero–day vulnerabilities soon. Around the same time experts were trying to handle the WannaCry attack, they detected another computer virus in the same family as WannaCry: Adylkuzz.
What is Adylkuzz?
Silently installing itself in the background of your computer, Adylkuzz is a virus that runs software which mines Monero, a cryptocurrency similar to Bitcoin. This virus exploits the Doublepulsar and EternalBlue vulnerabilities for attacking systems, and neutralizes Server Message Block (SMB) networking to prevent further attacks from other malware via that same vulnerability. Surprisingly, WannaCry could have had a larger impact if Adylkuzz didn’t prevent other malware from exploiting the SMB vulnerability.
Discovery of Adylkuzz
While exploring the impact of WannaCry, a few security researchers exposed their lab machines to the EternalBlue vulnerability to identify exactly how WannaCry infects systems; instead, they discovered new malware called Adylkuzz, which was more prominent than WannaCry. Those researchers repeated the operation a few times, exposing a few other machines with the same vulnerability to the web. Their machines ended up being enrolled in an Adylkuzz mining botnet, which activates this virus.
How does Adylkuzz infiltrate your network?
Adylkuzz is executed from various virtual private servers that scan for a point of entry on TCP port 445. After successful exploitation using EternalBlue, machines are then infected with DoublePulsar. DoublePulsar opens a backdoor for the download and installation of Adylkuzz from another host. After installation, Adylkuzz blocks SMB communication to avoid further infection. Adylkuzz then identifies the victim’s public IP address and downloads the mining instructions to their computer. At any given instant, there are multiple Adylkuzz command and control servers hosting the cryptominer binaries and mining instructions.
Where do cryptocurrencies fit into the mix?
Over the last few years, cryptocurrencies have been gaining traction, and the cryptocurrency market has recently passed $77 billion. Most cryptocurrencies have the ability to transfer funds directly to an address—a wallet—and many people employ this feature for mundane means, such as making international transactions. But cryptocurrency also has some nefarious uses, like among individuals working with viruses and black market affairs.
Mining is the only way to generate cryptocurrencies like Monero, but it’s a slow process that requires a considerable amount of processing power. Cryptocurrency mining malware like Adylkuzz implements hidden mining processes on infected machines to generate cryptocurrency without draining any of the hacker’s own resources. Adylkuzz significantly slows down infected computers while downloading and executing mining instructions or performing mining operations. Monero, the cryptocurrency mined by Adylkuzz, gained popularity after AlphaBay, a major darknet market, began accepting it for payment. Even the hackers who developed WannaCry utilized cryptocurrency, requiring infected users to pay ransom with Bitcoin.
Stay secure by patching your systems
Adylkuzz’s attack began in parallel with WannaCry. Unfortunately, unlike WannaCry, Adylkuzz infections are difficult for end users to identify and the hackers recently changed the address where mined Monero is delivered. With attacks like WannaCry and Adylkuzz exploiting networks around the world, practicing the right security measures is essential for staying ahead. One of the most effective ways to prevent the exploitation of known software vulnerabilities is by patching.
Security professionals are working hard on a daily basis to stop breaches, and IT companies are rushing to patch computers. Now is the time for leaders to start brainstorming ways to keep their organizations secure in the future. Experts suggest organizations should employ an endpoint management solution to keep their systems up-to-date, allowing them to avoid any vulnerabilities that may crop up
For those who haven‘t implemented the SMB patch that Windows released last month, their PCs and servers will remain vulnerable to Adylkuzz and other viruses that implement this type of attack. Ransomware and viral cryptocurrency miners are disruptive and costly, and now that two major threats have employed them in their attack tools and used the same vulnerability, we expect other threats will follow soon.
Protect yourself from copycat attacks and all of WannaCry’s “siblings” with an effective patch management solution. There’s no excuse for leaving vulnerabilities unchecked.