Windows WannaCry: This separate, ‘bigger’ malware attack also uses NSA’s exploit

All you need to know about ransomware in 60 seconds.Source: ZDNet
商品期货大涨传导A股 三大利好催生有色新行情
Stealthy cryptocurrency-mining malware using the same Windows exploit as the WannaCry ransomware began hitting machines weeks before Friday’s outbreak but may have accidentally prevented some WannaCry infections.
Unlike Friday’s noisy WannaCrypt attack that has affected 200,000 machines, the mining malware, dubbed Adylkuzz, has probably gone unnoticed until now because it aims to quietly free-ride its host’s processing power to mine the Bitcoin-like open-source cryptocurrency, Monero.
ransomware attacks
Brace yourself for the second wave
Hospitals still struggling in aftermath
The blame game begins
New variant discovered in the wild
多家跨国公司获信息安全国际认证,再次表明:客户的安全需求是组织实施信息安全管理体系的一大驱动力。

An executive guide to the ransomware menace
This is why NSA shouldn’t stockpile exploits
Microsoft issues emergency patch for Windows XP
Organizations around the globe pick up the pieces
Stop disabling automatic updates, people!
As noted by Proofpoint security researcher Kafeine, the ongoing Adylkuzz campaign kicked off as early as April 24 using the same EternalBlue exploit created by the NSA, which targets a flaw in Microsoft’s Server Message Block (SMB) networking protocol.
According to Kafeine, initial statistics suggest that this attack may be larger in scale than WannaCry.
As Microsoft explains, WannaCry spreads via two mechanisms. The worm-like behavior infects other unpatched machines on the same network. However, the malware also massively scans the internet for other vulnerable machines.
Kafeine told ZDNet that Adylkuzz isn’t a worm, but does spread by scanning for vulnerable Windows machines exposed to the internet.
The researcher discovered the Adylkuzz botnet while probing WannaCrypt on the weekend with an intentionally exposed computer.
He expected the machine to be infected by WannaCry but “within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet”.
Interestingly, machines infected with Adylkuzz may have been protected from WannaCry. Kafeine told ZDNet that the operators of Adylkuzz were essentially “closing the door behind them” to prevent subsequent infections by shutting down SMB communications.
“Once Adylkuzz has been launched on a machine, if Adylkuzz succeeds in closing SMB communication, which it did in all my runs, the machine can’t be infected by WannaCry through SMB through its ‘worm’ capabilities until the owner undoes what Adylkuzz did,” Kafeine explained.
Though less destructive than WannaCry, the Adylkuzz botnet may be just as lucrative for its operators.
Kafeine details three Monero addresses linked to the Adylkuzz attack, which to date have generated $22,000, $7,000, and $14,000. The addresses were banned today by the unnamed crypto pool that Adylkuzz is reporting to and receiving money from. The crypto pool lost 150,000 connections to miners after the addresses were booted off, said Kafeine.
As Kafeine explains in a blogpost, the Adylkuzz attack is launched from several virtual private servers that scan the internet on TCP port 445 for potential targets.
“Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host,” Kafeine said.
“Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and downloads the mining instructions, cryptominer, and cleanup tools.”
目前许多受害公司根本不愿意公布被害事件。即便越来越多的公司公布这类事件的细节,大多数企业领导们也会认为这些安全事件不会发生在他们自己身上,直到悲剧在他们身上上演后才相信。

猜您喜欢

华为软件开发云 驱动大连软件产业由大奔强
保密意识淡薄带来的危害,防范军事间谍
网络安全法 宣传片 002 国家网络安全的现状与重要性概述
新浪独家:特朗普的风水学
YOUTUBE DIZPINS
移动支付时代,要不要给支付账户投个保?