Leaked National Security Agency Exploits & Cryptojacking Attacks

Although crypto prices across the board have seen sharp declines since the commencement of 2018, cryptojacking, or the act of illegally siphoning computational power to mine cryptocurrencies, is still a rampant threat, well that’s what a recent report from TechCrunch alluded to.

Just over a year ago, classified computer exploits put together by the American National Security Agency (NSA) were unexpectedly stolen and published online. And since this event, individuals from around the globe have been trying their hand at utilizing these well-crafted exploits for their personal gain.

Upon the leak of the NSA exploits, a certain tool, named EternalBlue, caught the eye of many across the globe. For those who aren’t in the loop, EternalBlue can break into nearly any Windows-based machine remotely, no matter where the device is situated.

Hackers and malicious actors quickly realized that the use of this specific exploit could prove to be rather lucrative, and as such, many began to execute ransomware attacks on the computers of individuals, groups, and corporations across the globe.

More specifically, malicious individuals utilized WannaCry and NotPetya, coupled with EternalBlue, to distribute the ransomware, “which spread like wildfire,” due to the fact that once one network-connected computer was infected, the others within the network tumbled next. Acknowledging that this was a growing problem, Microsoft, who obviously manages and develops the proprietary Windows software, released a patch in a bid to fix this issue.

However, while many individuals installed the anti-EternalBlue update, there are nearly one million computers that are still vulnerable to attack, as per data gathered by Shodan, a specialized search engine.

While there remain many computers unprotected, ransomware has begun to fall out of style with hackers, as many have sought alternative means of generating income, while still utilizing the EternalBlue tool to gain easy access to otherwise well-protected devices. This had led malicious hackers to cryptojacking, which as alluded to earlier, is when individuals harness computional power that isn’t theirs to garner cryptocurrency holdings.

Not identifying the company that was attacked, Cybereason, an American cybersecurity firm, revealed that its customer was penetrated by a cryptojacking attack, dubbed “Wannamine,” which quickly “propagated” itself over 1,000 machines within the anonymous multinational firm. Explaining more about how the penetration process works, Amit Serper of Cybereason wrote:

Wannamine penetrates computer systems through an unpatched SMB service and gains code execution with high privileges to then propagate across the network, gaining persistence and arbitrary code execution abilities on as many machines possible.

Not only can Wannamine propagate quickly, but unlike traditional cryptojacking attacks, it can prove to be much more dangerous, destructive, and subsequently, more profitable for the individuals/group behind this medium of cyberattack. More specifically, Wannamine can mine “cryptocurrency far faster and more efficiently,” while also tweaking computer settings to make sure that the device infected doesn’t go to sleep, effectively maximizing the amount of crypto mined.

Moreover, the malware even searches for other cryptomining software in order to terminate those processes, and again, to subsequently try to squeeze every single bit of processing power of the computers of the victims.

As aforementioned, there are 919,000 servers that can still be breached by EternalBlue, with the actual numbers of devices likely being way above one million, as 919,000 servers doesn’t mean 919,000 individual machines, but rather, the number of vulnerable networks. Closing off the post, Serper advised firms to install the one-year-old patches, which still work despite their age. The Cybereason cybersecurity expert wrote:

As I mentioned earlier, Wannamine isn’t a new attack. It leverages the EternalBlue vulnerabilities that were used to wreak havoc around the world almost a year and a half ago. But more than a year later, we’re still seeing organizations severely impacted by attacks based on these exploits. There’s no reason for security analysts to still be handling incidents that involve attackers leveraging EternalBlue. And there’s no reason why these exploits should remain unpatched. Organizations need to install security patches and update machines.

Photo by Markus Spiske on Unsplash