The Shadow Brokers hacking group is responsible for the release of the National Security Agency’s (NSA) hacking exploits which highlighted a Windows vulnerability used by hackers in the recent WannaCry global ransomware attack.
The worm, known variously as WannaCry, WanaCryptor, and WannaCrypt, targets computers running Microsoft operating systems. It is built on an exploit named EternalBlue, one of many NSA “cyber-weapons” released by a group known as the Shadow Brokers, who first started leaking NSA tools late last summer.
It isn’t clear where the Shadow Brokers got the NSA hacking tools, but the arrest of former NSA contractor Harold T. Martin III last August for stealing a massive amount of data has made him the most likely suspect.
Former NSA officials have claimed the Shadow Brokers’ tools are “identical” to those taken by Martin, reports The Washington Post.
The US government said it seized 50 terabytes of confidential data from Martin’s home which was stolen from the NSA and other intelligence agencies. A veteran contractor, Martin had access to classified information as part of his work in the intelligence-gathering division of the NSA named Tailored Access Operations.
He has been in custody since his arrest and is facing espionage charges. Another NSA employee was also arrested in 2015, but no information has been released about the individual.
The exploits leaked by The Shadow Brokers are allegedly identical to those stolen by former contractor Harold Martin https://t.co/TUeEXh4eKV pic.twitter.com/w7W5uExiQC— Joseph Cox (@josephfcox) May 17, 2017
"We are tracking over 110 different ransom Trojan gangs. This is just one of them."— Kristie Lu Stout ✌🏽 (@klustout) May 17, 2017
- @Mikko on #WannaCry https://t.co/KlEL8Q5j9P #nscnn
The EternalBlue code formed the basis of the WannaCry ransomware, which struck networks on Friday in one of the biggest cyberattacks ever recorded
- Install the MS Security Bulletin patches for MS17-010. Please note that Microsoft also released an emergency patch for Windows XP, which is out of support!
- Disable SMBv1.
- Backup your data on a regular basis and be sure to store the backups offline.
- Limit administrative privileges in the network.
- Segment your network.
- Make sure all nodes have security software installed and updated.
- Kaspersky users: make sure System Watcher is enabled and the software updated. System watcher will ensure rollback of any encrypted files.
- For those who do not use Kaspersky Lab solutions, we suggest installing the free Kaspersky Anti-Ransomware Tool for business (KART).
- WannaCry is also targeting embedded systems. We recommend ensuring that dedicated security solutions for embedded systems are installed, and that they have both anti-malware protection and Default Deny functionality enabled.
An Evil Lair?
|Unlikely the attackers will be able to do anything with the bitcoins. Even
though the wallet owners are anonymous, the transactions are visible to
everybody and can be tracked. Once the bitcoins reach a payment point,
where the attackers use them to purchase something in the real world,
that payment can be tracked to shipment details, services, or other IPs,
effectively, increasing the chances of getting caught.|
Adylkuzz cyberattack dwarfs WannaCry
As the world reels from the WannaCry ransomware attack, it’s now emerged that a second, potentially larger attack, is already under way. It seems the widespread proliferation of military-grade cyberweapons has ushered in a new era of digital crime.Cyber bandits have again deployed both the EternalBlue and DoublePulsar exploits developed and used by the NSA which were released by the ShadowBrokers hackers back in April.
“Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week's WannaCry infection,” wrote a security researcher who goes by the alias Kafeine at cybersecurity company Proofpoint.
This latest attack uses the two exploits to install the cryptocurrency miner Adylkuzz over corporate Local Area and wireless networks but, rather curiously, may actually have helped slow the spread of WannaCry.
However, in an apparent case of “picking your poison,” the Adylkuzz miner dramatically slows PC and server performance as it extracts cryptocurrency but it does not lock users out of their machines and data, as WannaCry did.
Researchers at Proofpoint estimate that the Adylkuzz attack may have begun as early as April 24 but was subsequently overshadowed in the hysteria that followed the WannaCry ransomware attacks.
The attack is launched from multiple virtual private servers which scour the internet for vulnerabilities to install the Adylkuzz miner.
Adylkuzz is believed to have infected more computers than
WannaCry, using the same vulnerabilities.
The malware infection occurs as follows:
The EternalBlue exploit opens the door for infection with DoublePulsar on a target machine. DoublePulsar then downloads and runs Adylkuzz on the computer.
Adylkuzz then stops any preexisting versions of itself on a target machine, while also blocking SMB network communications with other machines to prevent any further malware infections from disrupting its operations. It initially prevents cybersecurity professionals from identifying that there is a problem.
Once the door has been held open and detection risks have been minimized, Adylkuzz then downloads mining instructions, the cryptocurrency miner itself and a variety of cleanup tools to mask its activities.
While the term cryptocurrency is typically associated with Bitcoin, Adylkuzz actually mines Monero, a similar but more heavily encrypted digital currency. Monero recently saw a significant uptick in usage after it was adopted in the AlphaBay market on the Dark Web.#WannaCry XXL? 2nd even bigger global cyber attack already underway https://t.co/agSMftskRQ pic.twitter.com/zjq66mrZBT— RT (@RT_com) May 17, 2017
As with other cryptocurrencies, Monero expands in market cap through self-proliferation via digital mining. One monero is roughly equivalent to $27 at current exchange rates.
During its research, Proofpoint identified three addresses which had already generated $7,000, $14,000 and $22,000 respectively, before being shut down.
To cover their tracks, whoever is behind the attack regularly changes the online payment address to avoid attracting too much attention.
As in the case of the WannaCry attack, hackers have leveraged the NSA’s weaponized exploits of legacy Microsoft operating systems to infect hundreds of thousands of machines worldwide with malware. Since the Shadow Brokers’ leak of these NSA exploits there have been two high profile attacks with many more expected in the future.
The three bitcoin wallets tied to #WannaCry ransomware have received 273 payments totaling 44.84252902 BTC ($80,802.04 USD).— actual ransom (@actual_ransom) May 18, 2017
#WannaCry ransomware attack: How it works and how to protect yourself... https://t.co/sg2f9Ua23e pic.twitter.com/K34trlQxjB— Sophos (@Sophos) May 17, 2017