Cryptocurrency-mining malware has been using WannaCry’s NSA exploit for weeks

How many threats are abusing this vulnerability!?

A cryptocurrency-mining malware began exploiting a leaked NSA vulnerability several weeks before WannaCry sank its teeth into it.

Proofpoint’s security researchers came across the malware while researching the global WannaCry ransomware outbreak that started on 12 May. This campaign leverages “EternalBlue” and “DoublePulsar,” two tools developed by the National Security Agency (NSA) and subsequently leaked by hackers known as the Shadow Brokers. The utilities allow WannaCry’s handlers to abuse a Windows vulnerability, leverage it to detect and spread to vulnerable machines on a network, and download the ransomware payload.

WannaCry had spread to over 150 countries and reached more than 200,000 victims.

The researchers expected to see the ransom message above when they looked at a lab machine vulnerable to EternalBlue. Instead they found a subtler threat: Adylkuzz.

This malware relies on virtual private servers scanning the Internet on TCP port 445 for distribution. If infection proves successful, it enlists victims in a cryptocurrency-mining botnet. But Adylkuzz isn’t interested in sharing an affected computer that’s capable of communicating over Microsoft’s Microsoft Server Message Block (SMB).

Read full news article on Graham Cluley