After facing a massive “WannaCrypt” ransomware attack that exploited a vulnerability in a Microsoft software and hit 150 countries, the same Windows vulnerability (MS17-010) has also been exploited to spread another type of malware that is quietly but fast generating digital cash from machines it has infected.
According to a report in The Registrar on Wednesday, tens of thousands of computers globally have been affected by the “Adylkuzz attack” that target machines, let them operate and only slows those down to generate digital cash or “Monero” cryptocurrency in the background.
“Monero” — being popularised by North Korea-linked hackers — is an open-source cryptocurrency created in April 2014 that focuses on privacy, decentralisation and scalability.
It is an alternative to Bitcoin and is being used for trading in drugs, stolen credit cards and counterfeit goods.
“Initial statistics suggest that this attack may be larger in scale than WannaCry[pt], because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry[pt] worm) via that same vulnerability,” US-based cyber security firm Proofpoint researchers were quoted as saying in the report.
This is how a cryptocurrency attack works.
The hackers need to mine cryptocurrency using computers/computing devices (IoT included).
“Mining of cryptocurrency simply means solving complex cryptography problems designed within the algorithm of a cyber-currency that requires a lot of computing,” Saket Modi, CEO and Co-founder of Delhi-based IT risk assessments provider Lucideus, told IANS.
To draw a parallel, there can only be 21 million Bitcoins that can be mined out of which 16 million have already been mined, informed Modi.
“Monero”, on the other side, is slightly different than Bitcoin but for simplification’s sake, it can be assumed that it follows a similar architecture and similar mining process.
“Hence, there is a new wave of cyber attacks where the hacker is least interested in the personal information of the victim and instead his only motivation is to gain access to the CPU of the victim’s computer/mobile/IoT device so that they can use it to mine more currencies (and correspondingly make more money),” Modi told IANS.
This looks like something more dangerous than “WannaCrypt” as the victim doesn’t come to know that they have been hacked, but, on the other side, “the good part is that the hacker here is not interested in the victim’s personal data,” Modi told IANS.
To achieve this, the hackers find a vulnerability in one of the servers in the targeted organisation or they would infect a website which employees of a targeted organisation often visit.
“They would then infect the IT infrastructure of the target with malware and would identify where a server running SWIFT software is installed. They would download additional malware to interact with SWIFT software and would try to drain the organisation’s accounts,” Altaf Halde, Managing Director of Kaspersky Lab (South Asia), told IANS.
According to Proofpoint, the “Adylkuzz” attack is still growing.
“Once infected through use of the ‘EternalBlue’ exploit, the cryptocurrency miner ‘Adylkuzz’ is installed and used to generate cybercash for the attackers,” Robert Holmes, Vice President of products at Proofpoint, was quoted as saying.
According to experts, the “Adylkuzz” began its attack on or before May 2, more than a week before “WannaCrypt” arrived and hit 150 countries, including India.
“Indications are that the crooks behind ‘Adylkuzz’ have generated a lot more money than the ‘WannaCrypt’ ransomware fiends,” The Registrar report noted.
According to cyberscoop.com, “Monero” doubled in price over the last month to around $23 while other digital currencies, including bitcoin, saw a mixed month.
“Cybercriminals intrigued by the currency’s promises of greater anonymity are using it more often on black markets.” it said.
This is how organisations can save themselves from such cryptocurrency attacks.
“If your organisation has software tools for conducting money transactions like SWIFT software, invest into additional protection and regular security assessment in addition to standard protection measures implemented on all other parts of the organization’s network,” Halde informed.
Protect backup servers as they contain information that can be of use for attackers: passwords, logins, and authentication tokens.
“When deploying specialised software for money processing follow recommendations and best security practices from your software vendor and security professionals,” Halde added.
In case of suspicion of intrusion, request for professional assistance with incident response.