Originally developed for the needs of the US National Security Agency and made available to the public, the EternalBlue exploit was used to create the global WannaCry malware, which covered nearly 150 countries in 2017. The same program formed the basis of the new WannaMine virus, which has now become a threat not to users, but to miners – the malware hides in mining systems, simultaneously overloading the system during the extraction of cryptocurrencies.
Hard to find and impossible to forget
We are talking about the Monero cryptocurrency, which is mined using a simple custom video card without the use of expensive equipment. WannaMine lies deep in the system and its presence can only be guessed by slowing down the speed at which the computer processes information.
The penetration of a computer worm can occur both after an accidental click on the link, and by purposefully infecting the system from the outside. WannaMine accesses passwords and logins using the Mimikatz tool. If the first did not cope with the task, then EternalBlue comes into play.
Their simultaneous use allows the virus to bypass even very protected systems, because the infection of the entire corporate network will occur after an attack on just one computer.
True, while WannaMine is not perceived as dangerous as its predecessor WannaCry, due to the lack of system blocking and ransom demands for “treatment”. However, companies can suffer losses due to the sudden overload of the corporate network caused by the activity of the virus.
Brian York, chief product officer of CrowdStrike, noted that the EternalBlue exploit is increasingly becoming a fraud tool in the hands of simple cybercriminals, when it used to be the prerogative of state-level hackers. And the virus is dangerous primarily because such hidden mining can stop the company’s activities for “a couple of days or even weeks.”
Another danger of WannaMine is that it does not launch any malicious applications into the system, but uses standard Windows OS tools. That is why its presence is so difficult to establish and track.
“The number of infected systems is only increasing,” says York. “At the same time, if with WannaCry hackers gave the user the opportunity to choose whether or not to pay for the restoration of control over the system, then WannaMine allows attackers to earn money on it directly.”
“I think that in the future, the sophistication of cybercriminals will surprise us more than once,” the expert added.
Fashion for miners
The EternalBlue exploit became available to hackers around the world thanks to the actions of the Shadow Brokers group, which posted the code of the program in the public domain last year. It formed the basis of WannaCry, which blocked computers around the world, demanding a ransom in bitcoins for saving personal user data.
After a while, EternalBlue was used to write the NotPetya virus, which showed an activeness in several countries. After that, information security experts warned that the development of the exploit by hackers of various levels will contribute to an increase in cyber attacks around the world.
“Today we can see the evolution of malware from ransomware to miners,” said Ladislav Zezula, Malware Research Specialist at Avast. “And given the profitability of cryptocurrencies, direct mining becomes more profitable than a banal ransom demand.”
It is worth noting that the first cryptominer based on EternalBlue was the Adylkuzz virus, which was active in 2017. And the only possibility for protection is the timely installation of patches against system vulnerabilities.
“Eternal Blue exploits a Windows OS vulnerability known since the beginning of 2017 in the implementation of the SMB protocol,” says Pavel Lutsik, Head of Information Security Projects at CROC. “After WannaCry, many people began to patch the OS, take appropriate measures and generally worry about security. However, the recent WannaMine attack showed that ignoring the basics of information security is costly and post-factum patches alone are not enough.
How not to lose all your money by withdrawing cash from an ATM
The bitcoin killer has appeared on the cryptocurrency market