Proofpoint Uncovers Second Cyberattack That Uses Stolen NSA Tools

Cybersecurity company Proofpoint, which helped slow the sweeping global ransomware attack WannaCry after it emerged Friday, has now discovered a much more insidious, profitable, and potentially widespread cyberattack called Adylkuzz.

Adylkuzz doesn’t demand, as WannaCry does, that victims pay a ransom to retrieve their data. Adylkuzz makes no announcement when it quietly invades target computers. Instead, it stealthily recruits those computers into a network of cryptocurrency miners that stuff the hackers’ digital wallets full of a secretive unit of exchange called Monero, Proofpoint says. Such currencies can be used to buy illegal goods, including drugs and stolen credit cards. Hundreds of thousands of computers have been infected with Adylkuzz, and they are rapidly infecting other machines in turn, Proofpoint says.

Both WannaCry and Adylkuzz take advantage of the most dangerous of the cyberhacking tools that were stolen from the U.S. National Security Agency, Proofpoint’s senior vice president of cybersecurity strategy Ryan Kalember says. The NSA tools were published online April 14 by an elusive group called Shadow Brokers. That group has exposed many more of the NSA’s secret intelligence tactics, but the computer back door and the Microsoft vulnerability exploited by these two recent malware attacks were “the pick of the litter,” Kalember says.

“There are others, but these are the bad ones that spread like a worm,” Kalember says.

Sunnyvale, CA-based Proofpoint discovered that Adylkuzz was actually unleashed well before WannaCry—as early as April 24, and at least by May 2. It spread, undetected until now, assembling botnets of computers that may have yielded “five-figure payouts daily,” Kalember says in a Proofpoint statement.

Meanwhile, performance flagged for the hijacked PCs, and users suffered a loss of access to shared resources on Microsoft Windows.

After the Shadow Brokers published the NSA tools cache in mid-April, Proofpoint was on the lookout for signs that hackers would try to make use of those vulnerabilities. Eternal Blue was an opening in Microsoft’s Server Message Block (on TCP port 445), and Double Pulsar was a back door that could be used to install malware.

A researcher watching Proofpoint’s sensor net picked up signs of Eternal Blue early on Friday, Kalember says. That was the WannaCry attack, which also used Double Pulsar.

To catch WannaCry and study it, Proofpoint then laid out bait on the open Web—a sacrificial virtual machine that lacked the Microsoft patch. What Proofpoint caught instead was Adylkuzz—the underground malware that hadn’t set off alarms.

Kalember says Proofpoint hasn’t traced Adylkuzz to its source—whether that be a group of cybercriminals or a government-backed hacker cadre from North Korea, which has come under suspicion in the WannaCry attack.

“There are no telltale clues that we’ve been able to identify,” Kalember says of Adylkuzz.

Nor can he tell whether WannaCry was a diversion, set up to mask a larger Adylkuzz attack carried out by the same people; or if the two types of attacks were operated by competing hacker groups. Adylkuzz, which started first, may have actually slowed the spread of WannaCry, because once it enters a computer, it prevents other malware from infecting it by shutting down the vulnerable port.

The WannaCry and Adylkuzz attacks are unusually effective because they don’t start with e-mail phishing campaigns, which rely on unwitting users to click on a bad link in a malicious e-mail, thus opening the door to malware, Kalember says. Instead, they enter a computer on the operating system level and spread through organizational networks. No action by the victim is required.

If Adylkuzz had been forcing hijacked computers to become Bitcoin miners rather than Monero miners, cybersecurity teams might have looked for clues to the hackers’ identities by searching for rising balances in Bitcoin accounts, Kalember says. Bitcoin ledgers are public. But Monero is a “dark web” currency used to pay for illegal things, and is much more private, he says.

Until infected computers are patched and cleaned up by antivirus tools, Adylkuzz could keep spreading and running slowly on compromised machines, cranking out new units of cryptocurrency “ad infinitum” for its criminal creators, Kalember says. They won’t relinquish a computer on their own, so the already widespread attack could have a long tail, he says.

“Worms always last longer than people would expect,” Kalember says. “They’re really hard to kill.”

Trending on Xconomy