Threats Lurking Beneath the Surface: The Rise of Cryptocurrency Snakes

With the world’s focus on the recent aggressive cyber-attack endemic, a subtler, yet equally terrifying threat has begun to emerge. WannaCry represented the brutal, blow-like impact a cyber-attack can have, directly assaulting the lives and livelihoods of people across the globe. This attack is drawing mass media attention, as it affects thousands of people worldwide, and prioritizes making itself known, forcing the afflicted user to either pay a ransom or settle for having their devices locked. What has failed to receive its due attention, however, is the snake known as Adylkuzz.

In contrast to WannaCry’s brash, up-front demand of a ransom in exchange for unlocking a system, Adylkuzz is a background cryptocurrency miner. It infects a device and uses it to mine Monero, a cryptocurrency similar to Bitcoin. This process is very computationally intensive, and as such results in loss of performance for both the devices and the servers they are connected to. These symptoms can often be attributed to simple problems, such as high internet traffic. The problem therein lies in that this kind of attack can continue indefinitely, without the user being explicitly aware that an issue exists. The average user could be a host for Adylkuzz for weeks and not even notice the drop in performance.

WannaCry is to a tornado as Adylkuzz is to a poisoned water supply. While the former openly draws the attention of those that it devastates, the latter allows the victims to proceed with their everyday routines with little to no idea that a problem exists in the first place. In fact, an article by proofpoint claims that Adylkuzz has been in play even longer than WannaCry, having begun shortly after the EternalBlue exploit was leaked.

“…it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24.” (proofpoint, May 15th 2017)

This threat, while on the same scale as WannaCry has received little media attention despite being present since early May. While the fear of open attacks keeps the public occupied, this kind of subtle attack has the chance to make its way into our systems.

The cybersecurity community needs to work hard to ensure that our networks and devices are secured, as when it relates to cyber-attacks, the absence of evidence is not the evidence of absence. Strong, flexible, and easily updateable security solutions like those developed at Trillium are a necessity not only to protect users from the threats they can see, but also the ones they can’t. The importance of swift preemptive action cannot be denied, as indeed an ounce of prevention is worth a pound of cure.