All Ur BTC Iz Mine(d): "Massive cryptocurrency botnet used leaked NSA exploits"

Sat May 20 10:52:36 PDT 2017

> Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry
>
> Campaign that flew under the radar used hacked computers to mine
> Monero currency.
>
> On Friday, ransomware called WannaCry used leaked hacking tools stolen
> from the National Security Agency to attack an estimated 200,000
> computers in 150 countries. On Monday, researchers said the same
> weapons-grade attack kit was used in a much-earlier and possibly
> larger-scale hack that made infected computers part of a botnet that
> mined cryptocurrency.
>
> Like WannaCry, this earlier, previously unknown attack used an exploit
> codenamed EternalBlue and a backdoor called DoublePulsar, both of
> which were NSA-developed hacking tools leaked in mid April by a group
> calling itself Shadow Brokers. But instead of installing ransomware,
> the campaign pushed cryptocurrency mining software known as Adylkuzz.
> WannaCry, which gets its name from a password hard-coded into the
> exploit, is also known as WCry.
>
> Kafeine, a well-known researcher at security firm Proofpoint, said the
> attack started no later than May 2 and may have begun as early as
> April 24. He said the campaign was surprisingly effective at
> compromising Internet-connected computers that have yet to install
> updates Microsoft released in early March to patch the critical
> vulnerabilities in the Windows implementation of the Server Message
> Block protocol. In a blog post published Monday afternoon, Kafeine wrote:
>
>> In the course of researching the WannaCry campaign, we exposed a lab
>> machine vulnerable to the EternalBlue attack. While we expected to
>> see WannaCry, the lab machine was actually infected with an
>> unexpected and less noisy guest: the cryptocurrency miner Adylkuzz.
>> We repeated the operation several times with the same result: within
>> 20 minutes of exposing a vulnerable machine to the open web, it was
>> enrolled in an Adylkuzz mining botnet.
>>
>> Figure 1: EternalBlue/DoublePulsar attack from one of several
>> identified hosts, then Adylkuzz being downloaded from another host -
>> A hash of a pcap of this capture is available in the IOCs table.
>>
>>   The attack is launched from several virtual private servers which
>> are massively scanning the Internet on TCP port 445 for potential
>> targets.
>>
>>
>> Upon successful exploitation via EternalBlue, machines are infected
>> with DoublePulsar. The DoublePulsar backdoor then downloads and runs
>> Adylkuzz from another host. Once running, Adylkuzz will first stop
>> any potential instances of itself already running and block SMB
>> communication to avoid further infection. It then determines the
>> public IP address of the victim and download[s] the mining
>> instructions, cryptominer, and cleanup tools.
>>   
>> It appears that at any given time there are multiple Adylkuzz command
>> and control (C&C) servers hosting the cryptominer binaries and mining
>> instructions.
>>
>>     Figure 2 shows the post-infection traffic generated by Adylkuzz
>> in this attack.
>
>
> Symptoms of the attack include a loss of access to networked resources
> and system sluggishness. Kafeine said that some people who thought
> their systems were infected in the WannaCry outbreak were in fact hit
> by the Adylkuzz attack. The researcher went on to say this overlooked
> attack may have limited the spread of WannaCry by shutting down SMB
> networking to prevent the compromised machines from falling into the
> hands of competing botnets.
>
> Proofpoint researchers have identified more than 20 hosts set up to
> scan the Internet and infect vulnerable machines they find. The
> researchers are aware of more than a dozen active Adylkuzz control
> servers. The botnet then mined Monero, a cryptocurrency that bills
> itself as being fully anonymous, as opposed to Bitcoin, in which all
> transactions are traceable.
>
> Monday's report came the same day that a security researcher who works
> for Google found digital fingerprints tying a version of WCry from
> February to Lazarus Group, a hacking operation with links to North
> Korea. In a report published last month, Kaspersky Lab researchers
> said Bluenoroff, a Lazarus Group offshoot responsible for financial
> profit, installed cryptocurrency-mining software on computers it
> hacked to generate Monero coins. "The software so intensely consumed
> system resources that the system became unresponsive and froze,"
> Kaspersky Lab researchers wrote.
>
> Assembling a botnet the size of the one that managed WannaCry and
> keeping it under wraps for two to three weeks is a major coup.
> Monday's revelation raises the possibility that other botnets have
> been built on the shoulders of the NSA but have yet to be identified.
>

With links:
https://arstechnica.com/security/2017/05/massive-cryptocurrency-botnet-used-leaked-nsa-exploits-weeks-before-wcry/