One Year After Their Illegal Release, the NSA’s Classified Exploits Are Still Being Used to Mine Crypto
One year ago, the National Security Agency suffered one of the worst leaks in its history: a series of classified exploits built by the NSA were stolen and published online. Today, those exploits continue to be used to attack cryptocurrency miners worldwide.
One of the exploits, called EternalBlue, is a particularly effective backdoor exploit. EternalBlue can be used to silently break into virtually any Windows machine in the world.
Hackers have used EternalBlue to install ransomware on thousands of computers worldwide. Government organizations, corporations, and even entire towns have ground to a halt due to EternalBlue ransomware attacks.
EternalBlue isn’t the ransomware itself; instead, EternalBlue is simply the exploit that allows attackers to install ransomware. Over the last few months, attackers have used the EternalBlue exploit to install WannaCry and NotPetya, two of the world’s most popular ransomware programs. After infecting a single computer in the network, this malware targets other devices on the network.
Today, however, the EternalBlue backdoor is being used for a new purpose: to install cryptocurrency mining software on users’ computers.
Microsoft Released a Patch Over a Year Ago
After a software exploit leaks online, the software company typically scrambles to patch that exploit as soon as possible.
That’s exactly what happened last year when the NSA’s Windows exploits were posted online. Microsoft quickly released patches slamming the EternalBlue backdoor shut and preventing any further attacks.
Despite the rapid fix, however, “almost a million computers and networks are still unpatched and vulnerable to attack,” according to security firms.
Microsoft released the patch all the way back in March 2017. To this day, however, computers worldwide remain highly vulnerable to the EternalBlue backdoor.
How NSA Exploits Are Being Used for Cryptocurrency Mining
If you’re able to remotely gain control of thousands of computers worldwide, then you can profitably mine cryptocurrency. That’s exactly what modern hackers are doing with EternalBlue and other exploits.
In days gone by, these hackers might have installed ransomware and pried a few hundred dollars out of infected users.
Today, however, things have changed, and users’ machines are being quietly used to mine cryptocurrency. As TechCrunch explains:
“Although WannaCry infections have slowed, hackers are still using the publicly accessible NSA exploits to infect computers to mine cryptocurrency.”
Security experts are calling such attacks “WannaMine”. The software uses exploits like EternalBlue to attack a computer. Then, once the backdoor is open, the WannaMine cryptocurrency mining software is installed, and that software is quickly propagated across the network.
One major Fortune 500 multinational company knows that better than anyone. That company was recently hit by WannaMine. After the first machine was infected with the WannaMine cryptocurrency mining virus, the virus quickly spread to 1,000 other machines in the company’s network.
Cryptocurrency mining attacks are nothing new. Last year, as crypto prices surged, we saw a number of infected websites use crypto mining scripts to hijack your browser’s processing power and devote it to cryptocurrency mining.
Some websites also use this system in a legitimate way: instead of running advertisements, they run a cryptocurrency mining script. Your computer’s processing power is used for cryptocurrency mining when you visit the website, and you don’t see advertisements. WannaMine, However, Works Differently.
WannaMine Can Mine Cryptocurrency “Faster and More Efficiently” While Going Unnoticed
We saw clunky cryptocurrency attacks in the past. WannaMine crypto mining exploits, however, work in a different way.
Today’s WannaMine virus is faster and more efficient at mining cryptocurrency than ever before. Security researchers at Cybereason.com recently posted a good writeup on the attack.
Essentially, WannaMine is able to mine cryptocurrency efficiently while remaining undetected. One strategy used by the exploit is to activate the mining script just before the computer goes to sleep:
“The PowerShell script will also change the power management settings on the infected machine just before the miners are dropped to prevent the machine from going to sleep and maximize mining power availability”
The end result is a cryptocurrency mining exploit that works more efficiently – and more quietly – than other miners that have come before it. Your computer might be mining cryptocurrency all night – but you won’t know it because it only occurs when you’ve stepped away from your computer.
EternalBlue continues to be a persistent thorn in the side of security experts worldwide. Discovered over a year ago, EternalBlue was patched by Microsoft in March 2017. Today, however, over a million computers remain vulnerable to the attack, and that’s why cryptocurrency mining attacks like WannaMine are spreading worldwide.