A cybersecurity firm has claimed that another, bigger cyber attack is on the way, adding that the next incident could “dwarf” the last.
Nicolas Godier, a researcher at cybersecurity firm Proofpoint, claims that his team discovered the new attack called Adylkuzz, which is related to last week’s WannaCry “ransomware worm.”
“It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose,” said Godier. “As it is silent and doesn’t trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals.”
“It transforms the infected users into unwitting financial supporters of their attackers,” he continued, explaining that Adylkuzz lays low on infected devices and mines the crypto-currency Monero, before sending the financial gain to the perpetrators.
Proofpoint’s vice president for email products, Robert Holmes, admitted that though the firm doesn’t “know how big it is,” it’s allegedly “much bigger than WannaCry,” which itself infected over 300,000 computers during the attack last week.
“We have seen that before — malwares mining cryptocurrency — but not this scale,” Holmes confessed.
According to a blog post by Proofpoint, the spread of Adylkuzz may have even prevented further infections from the WannaCry attack.
“Because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection,” the company declared in their post. “Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance.”
“Several large organizations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity,” they continued. “However, it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive.”
“Like last week’s WannaCry campaign, this attack makes use of leaked NSA hacking tools and leverages a patched vulnerability in Microsoft Windows networking,” Proofpoint concluded. “For organizations running legacy versions of Windows or who have not implemented the SMB patch that Microsoft released last month, PCs and servers will remain vulnerable to this type of attack. Whether they involve ransomware, cryptocurrency miners, or any other type of malware, these attacks are potentially quite disruptive and costly. Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and individuals patch their machines as soon as possible.”
Following last week’s global attack, which disrupted organizations and services around the world, including Britain’s National Healthcare Service (NHS), Microsoft criticized the U.S. government for poorly storing cyberweapons, which had been leaked from the National Security Agency (NSA).
“The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States,” Microsoft explained in a statement. “That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers.”
“While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected,” they claimed.
Citing the recent WikiLeaks releases that included leaked code for CIA programs, Microsoft added that “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” calling it “an emerging pattern in 2017.”
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” the company declared. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
“The governments of the world should treat this attack as a wake-up call,” they expressed, claiming that government agencies “need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”