Two leaked NSA hacking tools that enabled the spread of a global ransomware attack have also been used by hackers to mine cryptocurrency for weeks, according to security experts who claim the scope of the infection could be "larger in scale" than WannaCry.
On 15 May, researchers from US cybersecurity firm Proofpoint released evidence that "EternalBlue" and "DoublePulsar" – two US cyberweapons – were helping to spread a "large-scale attack" that installed a strain of Monero mining software called "Adylkuzz".
The same tools were utilised by unknown hackers to spread malware across hundreds of thousands of unpatched Windows computers late last week (12 May).
As reported, victims of the cyber attack included telecommunications giant Telefonica and the UK health service. It later spread to 150 countries, experts said.
Proofpoint, as described in a blog post by cybersecurity researcher 'Kafeine', said analysis suggests the scale of the attacks – which potentially date back as early as 24 April – may be more widespread than WannaCry, earning the hackers tens of thousands of dollars.
Kafeine suggested the existence of the Adylkuzz miner may have actually "limited the spread" of the notorious ransomware worm because it shuts down SMB networking (the specific Microsoft system being exploited) to prevent infection from other malware.
The cyberattack is reportedly launched from private servers which are actively scanning the web for potential targets.
Once found, the victim is exploited using the 'EternalBlue' tool and infected with the 'DoublePulsar' backdoor. Adylkuzz is then downloaded via a separate host, Kafeine said.
In this case, the hackers were using the multiple exploits to mine Monero – an ultra-anonymous form of digital currency. Like bitcoin, computing power is used to create the money. Monero hit the headlines last year after being adopted on dark web marketplace AlphaBay.
Proofpoint analysis indicated the hackers are switching Adylkuzz addresses (a form of digital wallet system) to help evade detection.
In one known example, the experts found the criminals were able to net over $22,000 before moving on to a fresh domain.
"Like last week's WannaCry campaign, this attack makes use of leaked NSA hacking tools and leverages a patched vulnerability in Microsoft Windows networking," the resercher explained, adding: "The Adylkuzz campaign, in fact predates WannaCry by many days."
"This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive," Kafeine continued, adding: "Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance.
"Several large organisations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity."
It is highly advised that all IT administrators update all computers and install the latest Microsoft patches. "Two major [hacking] campaigns have now employed the attack tools and vulnerability; we expect others will follow," Proofpoint warned. You can read the full technical report here.