Malware leaked from the NSA’s tool chest over a year ago is now being used to mine cryptocurrencies secretly on infected Windows systems, TechCrunch reports, and worse attacks could follow if enterprises and governments don’t patch the vulnerability.
The problem began in April 2017, when a hack group called The Shadow Brokers leaked a tool online called “Eternal Blue.”
Likely developed by the American National Security Agency (NSA), Eternal Blue was the fifth exploit of probable NSA origin released by The Shadow Brokers.
According to Wired Magazine, “Eternal Blue” is the name of both a backdoor vulnerability in Microsoft Windows software and the software bug “weaponized” by the NSA to exploit it.
Following its release, the Eternal Blue exploit “spread like wildfire” across the world, and was used to executed particularly egregious malware infections in Russia, the Ukraine, India and Taiwan.
Microsoft quickly released a patch, but its use remains somewhat spotty, and close to a million servers and untold connected computers remain at risk, experts say:
“At least 919,000 servers are still vulnerable to EternalBlue, with some 300,000 machines in the US alone. And that’s just the tip of the iceberg — that figure can represent either individual vulnerable computers or a vulnerable network server capable of infecting hundreds or thousands more machines.”
Initially, an exploited Eternal Blue backdoor was commonly used to install WannaCry and NotPetya ransomware on infected systems to lock up data. Hackers would then demand a ransom paid in cryptocurrency for the data’s release. Hundreds businesses and institutions have been attacked in this way, and many are now holding crypto at the ready just in case.
More recently, however, experts have noticed Eternal Blue being used more commonly to initiate a less confrontational type of malware attack: the crypto mining attack.
In these attacks, crypto mining malware is used to create cryptomining “botnets”-whole networks of zombified infected computers unable to “sleep,” and forced to “mine” cryptocurrencies 24-hours a day. Proceeds are automatically sent to hackers’ online cryptocurrency wallets.
Once established in a network, crypto mining malware works to infect any computer within reach and can go undetected for some time because the only sign may be an increase in a network’s power consumption.
WannaMine malware, says Amit Serper of Boston cybersecurity firm Cybereason, may also scan an infected system to detect and shut down any competing malware already present in a system.
Serper told TechCrunch that a major Fortune 500 multinational was hit by a “WannaMine” malware attack only days ago.
“Once their first machine was hit the malware propagated to more than 1,000 machines in a day,” said Serper.
Eternal Blue has proven itself a powerful exploit already, and worse types of attacks could follow, TechCrunch warns.
“There’s no reason why these exploits should remain unpatched. Organizations need to install security patches and update machines,” said Serper.