Do you WannaCry?
- 1 minAs most of us may have noticed there was a pretty well broadcasted vulnerability a week or so ago known as WannaCry. WannaCry originated from a massive ransomware attack using the EternalBlue exploit.
EternalBlue was originally exposed back on April 14th via the Shadow Broker’s dump of the NSA hacking tools. This specific tool leveraged a vulnerability known as MS17-010 which involves multiple Windows SMB remote code execution. The exploit would take place when an unauthenticated attacker could send a specially crafted packet to a target SMB server. This vulnerability which was found across Windows uses TCP port 445 to discover vulnerable computers on the network and spread malicious payloads across it. The attack used an NSA backdoor known as DoublePulsar.
While this made headlines, there was another attack happening as well. This other attack was also utilizing EternalBlue as well as DoublePulsar to install the cryptocurrency miner Adylkuzz. Most of this went unnoticed as WannaCry affected more mainstream people than those using cryptocurrencies. When this exploit would take place it would shut down SMB networking to prevent further infections to the system and enroll in an Adylkuzz mining botnet.
Adylkuzz is being used to mine Monero cryptocurrency. Monero, which is similar to Bitcoin is believed to focus more on privacy and untraceable transactions. It is believed that because Adylkuzz removes all other infections, that it might have mitigated most of the WannaCry vulnerabilities and kept the attack vector much smaller.
There is a still a small trend of code executions happening, but it has slowed down due to researchers and various security companies releasing patches and kill switches. From this attack we have noticed the same vulnerabilities in other SMB and CIFS services such as Samba. The Samba team recently patched a vulnerability which existed on all version and was used for Linux systems. The use of pulling in a cryptocurrency miner to take control of a system is both intelligent and frightening. I wonder how much more these botnets will be used in future exploits.
