Last April, A hacking organization called the Shadow Brokers leaked EternalBlue, a Windows exploit that was formed by the NSA. Less than a month later, EternalBlue was used to unleash a destructive global ransomware attack called WannaCry that affected more than 230,000 computers in 150 countries. A month later, in June, the EternalBlue exploit was repeatedly used to cripple networks beyond the world in an even more complex attack. Now, security researchers are seeing the EternalBlue exploit meaning used to hijack people’s computers to mine cryptocurrency.
“EternalBlue, which was beforehand only used by nation-state actors, is now growing much more commonplace in malware leveraged by your common cybercriminal,” Bryan York, director of services at CrowdStrike.
This new attack named WannaMine may appear like less of a threat than WannaCry because it doesn’t lock users out of their machine. But CrowdStrike wrote in a blog post laying out its conclusions on WannaMine that the organization has observed the malware “rendering some businesses unable to operate for days and weeks at a time.” WannaMine contaminations are also hard to detect because it doesn’t download any forms to an infected device.
WannaMine was first created by Spanish firm Panda Security last October. Last week, cybersecurity firm CrowdStrike declared in a blog post that it’s seen the number of related instances of WannaMine infections increase in the last few months.
According to CrowdStrike’s York, there are a plenty of ways WannaMine can infect a machine, ranging from a user clicking on a malicious link in an email or webpage to targeted remote access attack by a hacker. Once the WannaMine script has affected a computer, it uses two normal Windows applications PowerShell and Windows Management Instrumentation to do its work.
WannaMine doesn’t resort to EternalBlue on its first try, though. First, WannaMine uses a tool called Mimikatz to pull logins and passwords from a computer’s RAM. If that fails, Wannamine will use EternalBlue to break in. If this machine is part of a local network, like at a business office, it will use these stolen credentials to infect other machines on the network.
Take your time to comment on this article.