Adylkuzz Cryptocurrency Mining Malware using same SMB vulnerabilities as WannaCry Ransomware

On Friday 12th May attackers exploited Microsoft SMB vulnerabilities to distribute and propagate WannaCry Ransomware (CC-1411).

Threat ID:: CC-1416
Category:: Trojan, Botnet
Threat Severity:: Medium
Threat Vector:: Zero day
Published:: 17 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

On Friday 12th May attackers exploited Microsoft SMB vulnerabilities to distribute and propagate WannaCry Ransomware (CC-1411).

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows: XP, Vista, 7, 8, 8.1 and 10
Windows Server, 2003, 2008, 2008 R2, 2012, 2012 R2 and 2016
Please Note: Patches are available for all systems including Windows XP and Server 2003.

Windows 10

Windows 7

Microsoft Server

Threat details

It has since been discovered by Proofpoint that another attack has been distributing the Adylkuzz Cryptocurrency Mining Malware by leveraging the same SMB vulnerabilities MS17-010, EternalBlue (CC-1353) and DoublePulsar (CC-1354).

The payload of this attack possess significantly less risk than WannaCry: The Adylkuzz mining botnet uses computer run-time from each infected bot to generate Menero (XMR) Crypcurrency, which is an open source cryptocurrency.

The Adylkuzz campaign has been seen since at least 2nd May 2017. The attack is launched from several virtual private servers which scan the Internet on TCP port 445 for potential targets.

Upon successful exploitation Adylkuzz will first stop any potential instances of itself already running and block SMB communication (TCP port 445) to avoid further infection from other malware including WannaCry. It then determines the public IP address of the victim and downloads the mining instructions, cryptominer, and cleanup tools.

The SMB vulnerabilities highly likely to be used by other malware to facilitate the propagation of worms over local networks, other networks such as such as N3 (Transition Network), HSCN or the PSN networks and the internet.

Remediation steps

Type	Step
	Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010. Microsoft has additionally recommended updating with all security patches released within the last 60 days - internet and N3 facing systems should be prioritised. Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. (Please be aware though that your AV provider is unlikely to release AV definitions to protect out of support operating systems.) Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems. Block SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names) and manually run scans on critical areas such as servers and shared network file storage. If it is not possible to apply this patch then block SMB related ports (UDP 137, 138 and TCP 139, 445) across your organisation's network or disable SMB If your organisation has SMB port 445 exposed on any system then review if this is operationally necessary (including the use of NetBIOS ports UDP 137 & 138 and NetBIOS over TCP/IP TCP Ports 137 & 139) as SMB and NetBIOS are both legacy protocols that may no longer be required within your environment.

Type

Step

Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010. Microsoft has additionally recommended updating with all security patches released within the last 60 days - internet and N3 facing systems should be prioritised. Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. (Please be aware though that your AV provider is unlikely to release AV definitions to protect out of support operating systems.)
Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems.
Block SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment
Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names) and manually run scans on critical areas such as servers and shared network file storage.
If it is not possible to apply this patch then block SMB related ports (UDP 137, 138 and TCP 139, 445) across your organisation's network or disable SMB
If your organisation has SMB port 445 exposed on any system then review if this is operationally necessary (including the use of NetBIOS ports UDP 137 & 138 and NetBIOS over TCP/IP TCP Ports 137 & 139) as SMB and NetBIOS are both legacy protocols that may no longer be required within your environment.

Last edited: 17 February 2020 11:25 am