Endpoint Security , Governance , Network & Perimeter

Wielding EternalBlue, Hackers Hit Major US Business

Luckily, Firm Was Only Infected With Cryptocurrency-Mining Malware, Researcher Reports
Wielding EternalBlue, Hackers Hit Major US Business
Unpatched Windows systems still vulnerable to the EternalBlue exploit (Source: Shodan)

The word "eternal" - as in part of the nickname for a powerful exploit that fueled the global outbreak of WannaCry ransomware - is unfortunately proving to be all too accurate.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

WannaCry, which infected upwards of 300,000 computers worldwide in May 2017, was potent because it used an exploit called EternalBlue that had apparently been stolen or leaked from the U.S. National Security Agency. The exploit took advantage of a Windows vulnerability, designated CVE-2017-0144, in Microsoft's Server Message Block protocol, which remained widely unpatched when WannaCry hit (see Trump Administration: 'North Korea Launched WannaCry').

But even before WannaCry began its rampage, EternalBlue had been used to spread cryptocurrency mining software. And even though patches for the SMB vulnerability began appearing in March 2017, attackers continue to use EternalBlue to successfully spread cryptocurrency-mining malware.

WannaMine Goes to Work

More proof that EternalBlue is helping attackers take down more victims comes via Amit Sherper, head of security research for endpoint detection and response technology vendor Cybereason.

Sherper writes in a blog post that a cryptocurrency miner - aka cryptominer - called WannaMine successfully stung a large company via EternalBlue. WannaMine mines for monero, a privacy-focused virtual currency that can still be mined using off-the-shelf hardware.

Sherper did not identify the company. But he tells Ars Technica that the victim was a Fortune 500 company and he notes that WannaMine infected dozens of the company's domain controllers as well as about 2,000 of its endpoints.

More than one year after the WannaCry outbreak, Sherper says this type of incident should not be happening, especially at a large business (see Eternally Blue? Scanner Finds EternalBlue Still Widespread).

Count of systems that remain vulnerable to EternalBlue as of Sept. 17, 2018 (Source: Shodan)

"We're still seeing organizations severely impacted by attacks based on these exploits," he writes. "There's no reason for security analysts to still be handling incidents that involve attackers leveraging EternalBlue. And there's no reason why these exploits should remain unpatched. Organizations need to install security patches and update machines."

Playbook: Fileless Malware

The unnamed company's problems began when attackers found a server that was still vulnerable to the EternalBlue exploit, Sherper says. Subsequently, he says attackers used a "fileless" style of attack attack, employing Microsoft's PowerShell scripting language and Windows Management Instrumentation to spread malware inside the targeted network.

WannaMine also borrows a module from PingCastle, an auditing tool that evaluates the security around Active Directory and can scan for vulnerabilities. WannaMine uses PingCastle's vulnerability scanning component "to map the network and find the shortest path to the next exploitable machine by grabbing SMB information through the response packets sent by the SMB servers," Sherper writes. WannaMine also uses a PowerShell implementation of Mimikatz, which is a powerful credential-hunting tool.

WannaMine's code itself isn't very sophisticated, Sherper says. Whoever built it appears to have simply copied and pasted publicly available code, such as PingCastle, while much of the PowerShell code was taken from GitHub repositories, he says.

Researcher Amit Sherper says many WannaMine components have been cobbled together from publicly available code. (Source: Cybereason)

Once the malware gets deployed, Sherper says, it launches hundreds of PowerShell processes that reach out to various monero mining pools. WannaMine also tweaks the power settings on an infected machine to prevent it from going to sleep, thus maximizing its mining potential.

Victim Was Lucky

Cryptocurrency-mining programs use a computer's processing power to generate hashes. Proof-of-work cryptocurrencies rely on crowdsourced hashes to complete blocks of transactions on a blockchain. If a correct hash is submitted, a share of cryptocurrency gets shared back as a reward to miners.

The process of mining isn't necessarily harmful to a computer. But it does consume extra electricity, and in some cases could potentially cause performance problems.

WannaMine tries to conceal much of its malicious activity as being simply PowerShell activity. (Source: Cybereason)

Despite being discovered more than a year ago, WannaMine's infrastructure is still intact, Sherper says, noting that some of the IP addresses associated with the mining activity, despite being called out in multiple security reports, remain active.

Memo to information security teams: Block these IP addresses associated with WannaMine. (Source: Cybereason)

"We emailed the providers hosting those servers and haven't heard back yet," Sherper writes.

The unnamed Fortune 500 victim cited by Cybereason, meanwhile, should consider itself lucky. Whoever successfully infected its computers could have done something far worse. With the access allowed by exploiting EternalBlue, for example, they could have installed wiper malware on machines, stolen valuable intellectual property or crypto-locked data and demanded a ransom (see Obama-Themed Ransomware Also Mines for Monero).

Indeed, selling backdoor access to the Fortune 500 company probably would have netted a larger payout on the black market for attackers than simply using the company's machines to mine monero. The value of cryptocurrencies has fallen as much as 80 percent since the market peaked at all-time highs in December 2017.

Surreptitious cryptomining appears to rise and fall in line with cryptocurrency price fluctuations, albeit with a slight delay. Malicious mining is "an incredibly price sensitive environment with clear correlation between miners and price," Raj Samani, chief scientist at McAfee, has told Information Security Media Group (see Cryptojacking Displaces Ransomware as Top Malware Threat).

Such attacks also rely on scale. A report from Accenture published in March notes that the Smominru malware, which encompassed a botnet of as many as 526,000 infected Windows hosts, was collectively mining 24 monero at day, which at current prices would be around $2,880.

(Executive Editor Mathew Schwartz also contributed to this story.)


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.