Cyber bandits used EternalBlue and DoublePulsar, developed by the NSA and released by the ShadowBrokers hackers back in April. The attackers used both these exploits to install the cryptocurrency miner Adylkuzz.
“We don’t know how big it is” but “it’s much bigger than WannaCry”, Proofpoint’s vice president for email products, Robert Holmes, told AFP on Wednesday.
The WannaCry cyberattack paralyzed computer systems worldwide. In Freiburg, Germany, a passenger told FWM, that all electronic noticeboards were down and transport interrupted. Not only Deutsche Bahn rail network were among those hit, but also Britain’s National Health Service, US package delivery giant FedEx and Spanish telecoms giant Telefonica.
US officials on Tuesday put the number of computers infected by WannaCry at over 300 000. Despite a quick breakthrough that caused WannaCry to be slowed down, researchers don’t yet fully understand it.
“The problem is that we’re still not certain about the origin of the infections” because it wasn’t via emails which deceive users into installing the virus, an expert told AFP on condition of anonymity.
The latest attack targets the same vulnerabilities as the WannaCry ransomware, but uses the hundreds of thousands of computers believed to have been infected to mine virtual currency.
Researchers at Proofpoint have discovered Adylkuzz, said Nicolas Godier, a researcher at the computer security firm. “It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose,” he said.
Virtual currencies such as Monero and Bitcoin make use of volunteers computers to record transactions.
According to Proofpoint the attack include loss of access to shared Windows resources and degradation of PC and server performance. “As it is silent and doesn’t trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals. It transforms the infected users into unwitting financial supporters of their attackers,” said Godier.
Adylkuzz may have been infecting computers since at least May 2, and perhaps even since April 24, but due to its stealthy nature was not immediately detected.
Shadow Broker hackers also released a data dump allegedly stolen from the NSA that details the agency’s ability to hack international banks, as well as the SWIFT network, via Windows PCs and servers used in global financial transfers.
Dubbed ‘Lost in Translation,’ the hack lists Qatar First Investment Bank, Dubai Gold and Commodities Exchange and Tadhamon International Islamic Bank as allegedly compromised.
One of the world’s most secure methods of making payment orders has been compromised as the hacking tools are now freely available online.
Adylkuzz initially prevents cybersecurity professionals from identifying that there is a problem.
While the term cryptocurrency is typically associated with Bitcoin, Adylkuzz actually mines Monero, a similar but more heavily encrypted digital currency. Monero became popular after it was adopted in the AlphaBay market on the Dark Web. One monero is roughly equivalent to $27 at current exchange rates.
The attackers regularly changes the online payment address to avoid attracting attention.
As in the case of the WannaCry attack, hackers used the NSA’s weaponized tools of Microsoft operating systems to infect hundreds of thousands of machines worldwide with malware, and many more are expected in the future.