The central government has alerted against potential cyber attacks with two pieces of malware that are likely more dangerous than WannaCry.
Wannacry or WannaCryptor 2.0, the ransomware used for a global cyber attack on May 12, affected over 2,00,000 computer systems in at least 150 nations. The attackers raked in over $1 million in the digital currency Bitcoin from their victims.
The new threats have been identified as Adylkuzz and EternalRocks. While Adylkuzz uses two exploits like WannaCry, ExternalRocks leverages all seven exploits stolen from the United States National Security Agency and dumped online by the Shadow Brokers hacker group.
An exploit is a piece of software, sequence of commands, or data that uses some vulnerability, generally in the operating system’s code, to damage or take control of computer software, hardware and even entire networks.
“Adylkuzz is a cryptocurrency miner that exploits a vulnerability in the Windows operating system just like WannaCry to generate digital cash,” said the first alert issued by the National Critical Information Infrastructure Protection Centre on May 25. “Unlike WannaCry, which locks down a system until ransom is paid, Adylkuzz allows the computer to work but at the same time generates digital cash or Monero cryptocurrency in the background.”
“This cyber attack is still ongoing and may be larger in scale than WannaCry,” the alert added. “Users will experience degradation of computer speeds, bad server performance and lose access to shared Windows resources if their device is infected.”
In another advisory issued on May 26, the government described the second potential threat. “EternalRocks is a new Network Worm which is the successor to the WannaCry ransomware,” the advisory warned. “EternalRocks leverages some of the same vulnerabilities and exploit tools as WannaCry but is potentially more dangerous because it exploits seven NSA tools that were released as part of the Shadow Brokers dump for infection instead of two used by WannaCry.”
“So EternalRocks has the potential to spread faster and infect more systems,” the alert added. “EternalRocks is currently dormant and is not doing anything nefarious such as encrypting hard drives. But EternalRocks could be easily weaponised in an instant, making the need for preventive action urgent.”
The twin alerts were put out on the centre’s website and the Cyber Swachhta Kendra’s as well.
Vineet Kumar, a cyber security consultant to several government agencies, said the first signs of EternalBlue – one of the exploits used by Adylkuzz – were noticed by cyber security experts on the day of the WannaCry attack itself and the government was informed about it. EternalRocks, however, did not ring alarm bells until May 15.
While computer systems of some government agencies are suspected to be infected by EternalBlue, Kumar said, no EternalRocks attacks have been reported so far. “At this stage, it is very difficult to do an assessment of the damage caused by the two pieces of malware for two reasons,” he added, “First, they have not been activated to cause disruptions, so most users will not realise their computers have been affected. Second, such security breaches are anyway under reported as many enterprises fear losing trust of their clients.”
In its advisory, the government credited the discovery of EternalRocks to Miroslav Stampar of the Croation government’s Computer Emergency Response Team. “Stampar found that EternalRocks disguises itself as WannaCry to fool security researchers,” it said. “But instead of dropping ransomware, it gains unauthorised control of the affected computer to launch future cyber attacks.”
Since there is no kill switch or antidote to destroy the two pieces of malware yet, the government has listed a few precautionary measures in its advissories. These include making regular data backups, enabling visibility of hidden file extensions, installing regular updates and patches, avoiding unsolicited attachments and enabling the Windows firewalls.