14 DAY TRIAL // The same attack kit used in the WannaCry global spread was also used in another attack last month that may have been even larger in size.
According to Proofpoint's security researcher Kafeine, the attack used the same exploit codenamed EternalBlue, as well as a backdoor called DoublePulsar, both of which were included in those NSA files dumped by Shadow Brokers. Instead of installing ransomware, the campaign was pushing cryptocurrency mining software known as Adylkuzz WannaCry.
By their estimates, the attack started sometime between April 24 and May 2. Much like the WannaCry ransomware, the campaign was quite efficient at compromising computers that have yet to install the Microsoft updates released back in March to patch the vulnerabilities.
"In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet," Kafeine wrote.
It seems that the attack is launched from several virtual private servers which are continuously scanning the Internet for TCP port 445 for potential targets.
Once a machine is exploited via EternalBlue, it is infected with DoublePulsar. The backdoor then downloads and runs Adylkuzz from another host. The cryptocurrency miner first stops any potential instances of itself that are already running, blocks SMB communication to avoid further infection, determines the public IP address of the victim and downloads the mining instructions, cryptominer, and cleanup tools.
A double-edged sword
This means that some people who thought their systems had been infected in the WannaCry outbreak that started on Friday were in fact hit by this other attack. In fact, this first attack may have actually limited the spread of WannaCry since it was shutting down the SMB networking in order to prevent the compromised machines from being overtaken by other botnets.
The botnet was used to mine Monero, which is digital currency that claims to be completely anonymous. It compares itself to Bitcoin where all transactions are traceable, despite it being a lot more popular.
The fact that a botnet of this size has managed to go undetected for several weeks is quite an accomplishment. That being said, the question arises about how many other are out there, using the same NSA data.