Tue, May 23, 2017

No Ransom Demand? Your Network May Still Be a Victim of the EternalBlue Vulnerability

Cyber security researchers across the world have seen instances where organizations that have seen no obvious impact from the WannaCry ransomware (and other ransomware variants of WannaCry) have still experienced network issues.

Of course, not all network issues are connected to external attacks, but it turns out that even if you have avoided infections by WannaCry, your network could still be seriously compromised by specifically two other malware variants that use the same underlying Microsoft Windows vulnerabilities “EternalBlue” and “DoublePulsar.”

Another piece of malware that exploits the same vulnerabilities “Adylkuzz” began circulating before WannaCry, perhaps as early as late April. Adylkuzz has an entirely different objective than WannaCry and is not ransomware.

What is Adylkuzz?

Adylkuzz is designed to steal computer processing power to carry out cryptocurrency mining for the “Monero” virtual currency. Monero is similar to the more well-known bitcoin, however, the developers claim that it is significantly more anonymous than bitcoin. Some sites on the dark web catering to cyber criminals have used it to reduce the chance of transactions being tied to the people who engaged in them. Like the methodology that drives bitcoin transactions, there is a complex mathematical problem used to validate the shared ledger, and the person who successfully solves the math problem is rewarded with virtual currency. It is alleged that the botnet created by Adylkuzz has reaped thousands of dollars of these rewards for whoever launched the Adylkuzz malware.

Certainly, Adylkuzz is not going to encrypt your files or ask you for ransom. But it is by no means innocuous, as shown by researchers who connected a vulnerable computer to the global internet. Infection with the Adylkuzz malware occurred within minutes. When operating in your network as part of a huge botnet designed to enable its operators to receive the rewards for successfully mining Monero virtual currency, you may see that the performance of servers and user-machines is degraded, and may also discover that the affected machines can’t access shared Windows resources. This malware, because it doesn’t interact with your users, is somewhat stealthy, but you don’t want it in your network compromising system resources and performance.

How to tell if you have been attacked by malware

To determine if an enterprise has been attacked by WannaCry, Adylkuzz, or any malware exploiting the EternalBlue and DoublePulsar vulnerabilities, IT security departments can obtain the specific IP addresses that represent the IOCs (Indicators of Compromise) from a number of trusted sources. We recommend that you pass this message along to your IT security team to ensure they are aware of the potential problem and can take steps to determine if you have been compromised by these malware variants.

Please contact us if our Kroll Cyber Security specialists can be of assistance.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.