Nearly one year after their release by the Shadow Brokers, NSA cyberweapons such as EternalBlue are still causing problems and the most recent example
Nearly one year after their release by the Shadow Brokers, NSA cyberweapons such as EternalBlue are still causing problems and the most recent examples involving cryptojacking.
Cybersecurity vendor Proofpoint last week reported a new botnet called Smominru that takes over systems and uses their combined computing power to mine for the cryptocurrency Monero. The Smominru botnet, according to Proofpoint researchers, uses the EternalBlue exploit to take advantage of a vulnerability in Microsoft’s Server Message Block (SMB) protocol. EternalBlue and other Windows exploits were part of a collection of NSA cyberweapons released to the public by the Shadow Brokers last April and were used in a variety of attacks, including the global WannaCry ransomware scourge. Proofpoint’s researchers claim the cryptojacking botnet currently has 526,000 infected Windows hosts and has earned its operators approximately $3 million in Monero since it was first discovered last May.
“As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically,” Proofpoint researcher “Kafeine” wrote. “While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators.”
The Smominru botnet isn’t the first time EternalBlue has been used for malicious coin mining. Last fall, Panda Security published a report on a worm the vendor calls “WannaMine,” which spreads a fileless Monero miner. Panda Security researchers said they didn’t know what the initial infection vector was for WannaMine but did say it uses EternalBlue to infect unpatched Windows systems on a targeted network (Microsoft released a patch for the SMB vulnerability for current and older, unsupported versions of Windows).
While cryptojacking malware isn’t as devastating to enterprises as ransomware, it can still have significant negative effects. In a recent blog post on WannaMine, CrowdStrike researchers described how coin miners commandeer CPU cycles and degrade system performance. “The tools have caused systems and applications to crash due to such high CPU utilization speeds,” the researchers wrote. “In one case, a client informed CrowdStrike that nearly 100 percent of its environment was rendered unusable due to overutilization of systems’ CPUs.”