Attackers have been quietly infiltrating vulnerable Windows machines for weeks using the same exploits employed by the WannaCrypt perpetrators in order to mine cryptocurrency, according to a security firm.
WannaCrypt first emerged on Friday, holding Windows users across the globe to ransom by exploiting a flaw in the Windows Server Message Block (SMB) v1 file sharing protocol to infiltrate machines and implant a backdoor to install the ransomware.
But while the world has been preoccupied with stopping the spread of the ransomware infections, a security firm has discovered that a separate attack uses the same two leaked exploits - which are linked to the US NSA - for an entirely different purpose.
Proofpoint researcher Kafeine today said the firm had identified a separate attack compromising Windows machines to mine the Monero cryptocurrency. The operation has been running since potentially as early as April 24, he said.
After exploiting the SMBv1 flaw, instead of pushing malware - as WannaCrypt does - the campaign installs the Adylkuzz cryptocurrency mining software and recruits the machine into a global mining botnet.
One Monero is valued at around US$26 (A$35).
The attack is launched from several virtual private servers which are scanning the internet for open 445 ports.
Proofpoint said it had identified more than 20 hosts set up to scan and attack vulnerable machines, and more than a dozen active Adlykuzz command and control servers.
The firm's initial findings indicate that this attack may be larger in scale than WannaCry, Kafeine said - in fact it may have actually helped to limit the spread of WannaCrypt because it shuts down the SMB networking to prevent further infections once the mining software is installed.
Many organisations infiltrated by this campaign are likely not aware their PCs are part of the global cryptocurrency mining botnet; the only symptoms of the attack are a loss of access to networked resources and system sluggishness, Proofpoint reported.
Australian security researcher Edward Farrell found 140 local organisations were leaving themselves vulnerable to the two NSA-linked exploits through a combination of open ports and unpatched SMB servers.
"For organisations running legacy versions of Windows or who have not implemented the SMB patch that Microsoft released last month, PCs and servers will remain vulnerable to this type of attack," Kafeine wrote.
"Whether they involve ransomware, cryptocurrency miners, or any other type of malware, these attacks are potentially quite disruptive and costly.
"Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organisations and individuals patch their machines as soon as possible."