Wielding EternalBlue, Hackers Hit Major US BusinessLuckily, Firm Was Only Infected With Cryptocurrency-Mining Malware, Researcher Reports
The word "eternal" - as in part of the nickname for a powerful exploit that fueled the global outbreak of WannaCry ransomware - is unfortunately proving to be all too accurate.
WannaCry, which infected upwards of 300,000 computers worldwide in May 2017, was potent because it used an exploit called EternalBlue that had apparently been stolen or leaked from the U.S. National Security Agency. The exploit took advantage of a Windows vulnerability, designated CVE-2017-0144, in Microsoft's Server Message Block protocol, which remained widely unpatched when WannaCry hit (see Trump Administration: 'North Korea Launched WannaCry').
But even before WannaCry began its rampage, EternalBlue had been used to spread cryptocurrency mining software. And even though patches for the SMB vulnerability began appearing in March 2017, attackers continue to use EternalBlue to successfully spread cryptocurrency-mining malware.
WannaMine Goes to Work
Sherper writes in a blog post that a cryptocurrency miner - aka cryptominer - called WannaMine successfully stung a large company via EternalBlue. WannaMine mines for monero, a privacy-focused virtual currency that can still be mined using off-the-shelf hardware.
Sherper did not identify the company. But he tells Ars Technica that the victim was a Fortune 500 company and he notes that WannaMine infected dozens of the company's domain controllers as well as about 2,000 of its endpoints.
More than one year after the WannaCry outbreak, Sherper says this type of incident should not be happening, especially at a large business (see Eternally Blue? Scanner Finds EternalBlue Still Widespread).
"We're still seeing organizations severely impacted by attacks based on these exploits," he writes. "There's no reason for security analysts to still be handling incidents that involve attackers leveraging EternalBlue. And there's no reason why these exploits should remain unpatched. Organizations need to install security patches and update machines."
Playbook: Fileless Malware
The unnamed company's problems began when attackers found a server that was still vulnerable to the EternalBlue exploit, Sherper says. Subsequently, he says attackers used a "fileless" style of attack attack, employing Microsoft's PowerShell scripting language and Windows Management Instrumentation to spread malware inside the targeted network.
WannaMine also borrows a module from PingCastle, an auditing tool that evaluates the security around Active Directory and can scan for vulnerabilities. WannaMine uses PingCastle's vulnerability scanning component "to map the network and find the shortest path to the next exploitable machine by grabbing SMB information through the response packets sent by the SMB servers," Sherper writes. WannaMine also uses a PowerShell implementation of Mimikatz, which is a powerful credential-hunting tool.
WannaMine's code itself isn't very sophisticated, Sherper says. Whoever built it appears to have simply copied and pasted publicly available code, such as PingCastle, while much of the PowerShell code was taken from GitHub repositories, he says.
Once the malware gets deployed, Sherper says, it launches hundreds of PowerShell processes that reach out to various monero mining pools. WannaMine also tweaks the power settings on an infected machine to prevent it from going to sleep, thus maximizing its mining potential.
Victim Was Lucky
Cryptocurrency-mining programs use a computer's processing power to generate hashes. Proof-of-work cryptocurrencies rely on crowdsourced hashes to complete blocks of transactions on a blockchain. If a correct hash is submitted, a share of cryptocurrency gets shared back as a reward to miners.
The process of mining isn't necessarily harmful to a computer. But it does consume extra electricity, and in some cases could potentially cause performance problems.
Despite being discovered more than a year ago, WannaMine's infrastructure is still intact, Sherper says, noting that some of the IP addresses associated with the mining activity, despite being called out in multiple security reports, remain active.
"We emailed the providers hosting those servers and haven't heard back yet," Sherper writes.
The unnamed Fortune 500 victim cited by Cybereason, meanwhile, should consider itself lucky. Whoever successfully infected its computers could have done something far worse. With the access allowed by exploiting EternalBlue, for example, they could have installed wiper malware on machines, stolen valuable intellectual property or crypto-locked data and demanded a ransom (see Obama-Themed Ransomware Also Mines for Monero).
Indeed, selling backdoor access to the Fortune 500 company probably would have netted a larger payout on the black market for attackers than simply using the company's machines to mine monero. The value of cryptocurrencies has fallen as much as 80 percent since the market peaked at all-time highs in December 2017.
Surreptitious cryptomining appears to rise and fall in line with cryptocurrency price fluctuations, albeit with a slight delay. Malicious mining is "an incredibly price sensitive environment with clear correlation between miners and price," Raj Samani, chief scientist at McAfee, has told Information Security Media Group (see Cryptojacking Displaces Ransomware as Top Malware Threat).
Such attacks also rely on scale. A report from Accenture published in March notes that the Smominru malware, which encompassed a botnet of as many as 526,000 infected Windows hosts, was collectively mining 24 monero at day, which at current prices would be around $2,880.
(Executive Editor Mathew Schwartz also contributed to this story.)