When WannaCry stuck systems, multiple agencies across the world were diverting their attention to counter the ransomware attack, during which, cryptocurrency miner Adylkuzz was able to infiltrate systems stealthily. Adylkuzz rode on the same Microsoft vulnerability as WannaCry did, but used an infected machine’s resources to mine for Monero, a type of cryptocurrency. Ian Yip, Chief Technology Officer, APAC, McAfee in an exclusive interview with Techseen explains how Adylkuzz is believed to have infected far more machines, as it was allowed to run free while everyone was focused on dealing with WannaCry. He also speaks about what vendors and organizations do to mitigate vulnerability and how the ecosystem should come together to tackle challenges. Excerpts:
Techseen: What is Adylkuzz and how does it work?
Yip: Adylkuzz is a cryptocurrency miner. It takes advantage of the same vulnerability in Windows software that the WannaCry ransomware did when it struck systems around the world on 12 May 2017. It uses a computer’s resources – without user permission – and mines for digital cash, such as Monero coins.
This CoinMiner is not a new strain. We have seen samples from as far back as October 2014, but its usage has surged since April. Online reports mention that this malware has infected machines after successfully exploiting the MS17-010 vulnerability followed by the installation of the backdoor malware EternalBlue/ DoublePulsar.
Techseen: What are the potential dangers of Adylkuzz, especially in this part of the world?
Yip: The dangers of Adylkuzz reside in its nature as a malware, where it lies in obscurity as it silently infects systems. It is also difficult for a regular person to realize that he or she has had their system infected.
For the time being there have been no reported cases of the malware attacking computers in India. However, that does not mean that the attack has not already made its way to the shores of neighboring countries due to its stealthy nature and the fact that affected users, who do not have the appropriate solutions to safeguard against such attacks, may not be aware that their systems may already have been compromised.
Techseen: Why Adylkuzz is potentially larger than WannaCry?
Yip: The exact details of how widespread the attack is, is unconfirmed, mainly because it is difficult for victims to know that they are infected. This makes it especially important for them to ensure they have the have the appropriate solutions installed.
Techseen: Can you talk about the importance of regularly patching, and other measures to keep such sophisticated attacks at bay?
Yip: Software updates, or patches, are important. They keep your computer safe because they often include fixes for bugs that hackers could otherwise exploit in order to remotely access your system without you knowing. Not doing so can leave devices open to viruses, malware and other types of attacks, such as the recent WannaCry and Adylkuzz attacks.
Though the immediate threat from WannaCry has abated, it’s important to keep an eye on the Big Picture. Now, more than ever, the “new threat, new widget” approach must evolve. It’s not sustainable to continue frantically filling cracks in a foundation that is sinking; we must begin building the proper foundation to begin with.
McAfee’s belief is that an effective defense is built on a dynamic cybersecurity platform that is both open and integrated. Open, so it can quickly accept new technologies that protect against even the most creative adversaries; and integrated in that technologies work together as a cohesive defense.
Those integrated defenses were on clear display in protecting our customers during this worldwide episode. Leveraging an automated security system that protects, detects and corrects in real time allows users to both free up resources and thwart advanced attacks. An integrated endpoint platform ensures that people have both the latest technologies today and the ability to add the newest technology year after year. As a result, users no longer have to choose between the best technology and the most manageable – they can have both.
Techseen: When it comes to ransomware, why do you say that Adylkuzz poses a greater threat when there have been no demands? And why is the industry not talking about it?
Yip: Adylkuzz is not ransomware, but a cryptocurrency miner. Ransomware will hold your most sensitive data or files hostage, essentially locking a user out of his/her own system until ransom is paid. Cryptocurrency miners are software that will tap into your computer’s hardware resources and utilize it to mine of cryptocurrency. Unlike ransomware where the attackers rely on a response, the very nature of currency miners like AdylKuzz makes them much harder for most users to detect.
With all the attention on WannaCry, Adylkuzz was able to infiltrate systems stealthily using the same vulnerability as WannaCry. It can remain undetected in a system, while it uses system resources to mine for crypto currency. This can slow down a system, or lead to sluggish performance and the disabling of some sharing functionalities on Windows.
This is why it’s important for all users and organizations to regularly patch and update their systems, and ensure they get robust and comprehensive protection, and can detect and repel such attacks in future.
On the contrary, the industry is talking about Adylkuzz. McAfee has released material that looks at Adylkuzz, as have other cybersecurity vendors. Several news outlets have reported on Adylkuzz when news of it first broke and there was speculation that it could be bigger than WannaCry. The silent, stealthy nature of this malware, and the fact that it does not cause visible damage like a ransomware would, would mean that users typically are unaware if they’re affected or not, unless they ran security scans on their devices.
Techseen: There may be several threats such as Adylkuzz, do you feel media play an important role in playing up a specific instance and others get brushed under the radar?
Yip: The WannaCry attacks helped raise the awareness of organizations and individuals worldwide to the threats posed by ransomware and other malware. Because of the high profile nature of some of the WannaCry attacks the media was able to explain to their readers and viewers how important security fundamentals are in building and maintaining those effective defenses and why a risk-based approach to mitigate environment vulnerabilities needs to become a higher priority.
Techseen: Is it possible to detect and counter multiple cybersecurity threats simultaneously?
Yip: It is actually possible to detect and counter multiple cybersecurity threats simultaneously. McAfee researchers have confirmed that our technologies provided zero-day protection against the WannaCry attack using the Dynamic Application Containment capability of the ENS platform, and thus we were able detect and correct the attack.
Our dynamic Endpoint Threat Defense provides advanced endpoint protection that’s comprehensive, simplified, and seamless. It is built on a closed loop system that automatically shares threat intelligence between connected components to detect, resolve, and adapt to new attack strategies faster, with a fraction of the effort and resources currently needed for endpoint security. Unlike security strategies based on isolated point products, our dynamic endpoint threat defense solution combines multiple layers of protection to make threat management simpler, faster, and more effective.
That way, even if a threat makes it past one stage of your defenses, it still learns from the encounter and can be stopped by a different defense technology that is now more informed about the threat before it even goes to work. The new generation of McAfee anti-malware and endpoint security technologies offers a truly integrated and coordinated endpoint defense fabric—where each element works with the others to turn new information into action in real time.
Capabilities within the McAfee defense fabric include:
- Static and behavioral machine learning: Use advanced machine learning techniques provided by McAfee® Real Protect to statistically compare suspicious files against known threats, without signatures.
- Suspicious application containment: Protect endpoints from previously unknown “zero-day” malware by using McAfee Dynamic Application Containment to block process actions that malware often uses.
- Sandboxing Analysis: Unmask the most advanced targeted malware by detonating suspicious files in a safe environment, McAfee Advanced Threat Defense, and performing fine-grained analysis on the entire code base. Individually, each of these technologies provides important anti-malware capabilities. Together, they are part of a multistage defense system that stops most threats before they infect “patient zero” and then coordinates threat response in near real time, without manual intervention.
Techseen: What according to you is lacking in Microsoft? Even though all the customer applications and systems are monitored regularly, is there a lag in security and vulnerability patches?
Yip: There was no lag in security and vulnerability patches in this instance. It was a culmination of factors that led to this widespread outbreak. First, was an active exploit, Eternal Blue, which was made public by a group of hackers who claimed they stole it from the National Security Agency (NSA). There was also an unpatched Microsoft vulnerability, which the company released a patch for in March. The delay between the time the patch was released, and the time it takes for organizations to deploy creates an environment whereby the attackers could create this new type of ransomware worm, which would use the exploit and target vulnerable systems until they were patched.
Questions are raised about the need to immediately patch systems. However, the verdict is split. Patching can cover up vulnerabilities and prevent such instances of attack, but patching also runs the risk of software incompatibility issues. IT teams need to weigh the pros and cons before making a decision.
McAfee would suggest that in light of such an incident, it is highly advisable to implement an aggressive patching plan in order to mitigate vulnerabilities.
Techseen: WannaCry was one of the major cyber-hacks that brought forward the value of cryptocurrencies across the globe. Can Cryptocurrencies be traced to pin point hacking origin?
Yip: Technically, cryptocurrency itself cannot be traced. However, though not easy, cryptocurrency transactions can be. For example, Bitcoin. Money is sent from one digital wallet to another with no need for a third party to validate or clear the transaction. Cryptocurrency functions via the blockchain, a large, virtually tamper-proof, shared ledger of all bitcoin transactions ever made.
This essentially means that payments can be tracked if users do not cloak themselves with digital anonymity tools. While bitcoin addresses are anonymous, users can be traced through IP addresses or by analyzing the money flow.
However, now, there are other forms of cryptocurrencies that offer greater anonymity, such as Monero, which are proving to be more popular among cybercrminals, and could replace bitcoin as the cryptocurrency of choice for crime.
Techseen: There were reports that a few countries like India were not as severely harmed by WannaCry in comparison to others. Is it true? Why?
Yip: We have no specific data available that would indicate whether any specific country was harmed more than another. With over 350,000 users affected worldwide in 150+ countries we do expect that some users in India were included in the attack.
However, we are living in a time where cyber crime is becoming ever more sophisticated and cyber-attacks are carried out on vulnerable businesses and individuals. According to our recent McAfee Labs report, 176 new cyber-threats occur every minute, which is almost three every second.
The WannaCry attack raised the nation’s attention towards cyber crime. Although, thankfully, there was minimal impact, organizations should never conclude that the absence of a cyber incident means that they have effective cyber defenses. WannaCry showed us how important security fundamentals are in building and maintaining those effective defenses and why a risk-based approach to mitigate environment vulnerabilities needs to become a higher priority.
Techseen: In a recent interview we did with a cybersecurity firm, stated that the advancement in technology is for everyone, for the good-guys and cybercriminals alike. If that is true then no matter how strong our cybersecurity is, will it be prone to threats?
Yip: Wherever there is opportunity, there will always be people looking to seize it. If a cybercriminal can detect if there are systems on a network that are vulnerable or unprotected, that alone serves as an invitation for him to strike.
With the increasing adoption of connected devices, the threat will continue to mount. This problem is not helped by the fact that plenty of lucrative business is now conducted online. The digital world is also a lucrative one, if one knows who to target and where to look. With the plethora of transactions taking place and information being shared, the onus is always on cybercriminals to come up with means to reap profits from them. Hence, it is up to cybersecurity vendors to ensure that the defenses that are in place are robust and intelligent enough to withstand any cyberattack. More than just purely defense, cybersecurity vendors must also delve into awareness and education.
They have to educate their customers on the telltale signs of cybercrime or cyberattacks, and what can be done to mitigate the situation. A network is only as strong as its weakest link. Vendors also have to constantly keep researching the latest, most sophisticated threats employed by their adversaries, and look to new technologies like artificial intelligence and machine learning to tackle problems the industry faces such as talent crunch. Lastly, “Together Is Power”.
Vendors can no longer operate in silos. They must collaborate and share information across the board, as they are all members of the same ecosystem, and it is a shared responsibility to build a safer digital world for all.
Everyone needs to understand that they have a responsibility and a part to play in safeguarding cybersecurity, especially with the ever-evolving threat landscape. There is power in working together where collaborations can help eliminate the fragmentation of security. By promoting automation, partnerships and unified architectures to address the challenges in cybersecurity, it will enhance the effectiveness of cybersecurity teams to automate detection and orchestrate responses, and ultimately tip the cybersecurity balance in favor of defenders.
As the world’s largest pure-play cyber security company, McAfee welcomes the opportunity to work hand-in-hand with the governments and organizations around the world on cyber security and to share information and learning to the benefit of everyone.
Techseen: What are the steps that individuals can take to secure their personal computers in the wake of an attack?
Yip: This incident reminds both businesses and consumers that both parties are responsible and have a part to play in safeguarding their own cybersecurity. The WannaCry attack is a reminder that it is critical to have a cybersecurity strategy and solution in place, where both aspects are continuously monitored and updated accordingly to mitigate against critical vulnerabilities and cyber threats.
Businesses and organizations are reminded that an aggressive patching plan in order to mitigate the vulnerabilities in their environment is essential, and their internal IT teams need to understand for each patch, what those levels of risk are, and then make a decision that minimizes risk for an organization and their stakeholders. Consumers also have to learn to secure their own devices by updating to the latest security updates and deploying a robust security solution to minimize the risk of becoming a victim of a cyber-attack.