NSA Exploit Now Powering Cryptocurrency Mining Malware

from the ETERNALDAMAGE dept

You may have been asked if you’d like to try your hand at mining cryptocurrency. You may have demurred, citing the shortage in graphics cards or perhaps wary you were being coaxed into an elaborate Ponzi scheme. So much for opting out. Thanks to the NSA, you may be involved in mining cryptocurrency, but you’re likely not seeing any of the benefits.

A computer security exploit developed by the US National Security Agency and leaked by hackers last year is now being used to mine cryptocurrency, and according to cybersecurity experts the number of infections is rising.

The good news is you won’t have to cough up ransom to retake control of your computer. The bad news is this doesn’t guarantee you’ll have a functioning computer.

This new attack—called WannaMine—may seem like less of a threat than WannaCry because it doesn’t lock users out of their computer. But CrowdStrike noted in a blog post laying out its findings on WannaMine that the company has observed the malware “rendering some companies unable to operate for days and weeks at a time.” WannaMine infections are also hard to detect because it doesn’t download any applications to an infected device.

This is the path the NSA’s malware has taken: from worldwide ransomware to drive-by installations of mining software. The route to infection is still the normal route: malicious links. Once inside, the malware co-opts your processor for cryptocurrency mining. If your computer happens to be part of a network, the infection will spread to connected computers, turning entire businesses into someone else’s side hustle.

The “fun” part is even patched systems can be infected. The NSA’s EternalBlue exploit may no longer work, but an attached tool called Mimikatz can still root around for login passwords to continue spreading the malware. The damage isn’t theoretical.

For companies hit by WannaMine at scale though, the cumulative effects can be disastrous, [Bryan] York [director of CrowdStrike] told me. He cited a client that recently came to CrowdStrike for help after their network was infected by WannaMine, which York said was using so much CPU power that it totally shut down their service.

“The implications of cryptocurrency mining aren’t just, ‘Oh darn, I lost some of my CPU,’” York said. “It’s actually getting in the way of how businesses conduct their operations and causing down time.”

While this isn’t the first cryptominer based on NSA exploits to hijack users’ computers, it’s the hardest to track down and kill. It contains no application files, relying on Windows tools to perform the dirty work. No files written to disk make it all but invisible. And, unlike ransomware, there’s no way to pay someone to stop using your CPU to mine Monero. You can’t even buy your way out of the problem.

This won’t be the last we’ll see of malicious software built on NSA hacking tools. It will serve as a continual reminder of the government’s untrustworthiness when it comes to secure computing, mass harvesting of data, and security tradeoffs performed without input of the majority of stakeholders.

(Counterpoint via @dril: maybe NSA-enabled cryptomining hijacking is the most patriotic thing there is.)

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA Exploit Now Powering Cryptocurrency Mining Malware”

Subscribe: RSS Leave a comment
26 Comments
Ninja (profile) says:

There are other vectors out there that aren’t nearly as stupid as this one. I explain: while it uses sophisticated means to infect computers and evade detection via AV or something it becomes obvious you have a problem once your computer/network becomes unusable due to high CPU load. I’ve read about some malware strains that limit the CPU usage to something less glaring that make it quite hard for the regular user to detect there’s something wrong.

Also, even if it is an NSA exploit I will note that even if the NSA had disclosed it properly the thing is still exploitable even in patched systems so I would point my accusing finger at the NSA in the few months after the exploit went into the wild after they sat on it for who knows how long instead of working with devs to patch it. This time they aren’t as guilty 😉

Rosie-Redstar (profile) says:

Re: Re:

Even with the ‘the thing is still exploitable even in patched systems’ angle…

The initial breach of a network has to logicly come from either a already infected computer joining the network, or through an unpatched computer already on the network.

In the very early existence of the malware, there wasn’t as many already infected networks, meaning less infected computers to spread it across networks.

This means the very first breaches had to be done via the exploit.

Given this, the NSA is responsible for (excuse my likely poor metaphor here) the technological equivalent of attempting a controlled demolition of a couple building and leveling most of the town as collateral damage.

Anonymous Coward says:

A close analogy

That whole thing you describe about crypto-currency and how it takes over your computer, it made me think EXACTLY about my hot girlfriend, is that strange or what? When you talked about the malware taking control of the computer, it’s just like when she takes control of my existence! I mean, you remember the scene in Avatar when the crippled army guy climbs the anti-gravity mountains and tries to select a dragon to ride and he asks his hot girlfriend how he will know the right dragon and his hot girlfriends tells him “if she tries to kill you, she is for you”. I mean, that’s my hot girlfriend, she is that dragon, totally. And when I ride her, it sounds exactly like your whole crypto-currency computer-hijacking example, wow, like my will is gone and I have no cycles left I am only for her dropping from the sky with wings spread wide and them WHAM, recovering just before splattering on a rocky bed of ferns. I mean exactly, that’s what I thought of when I read this article. Did it hit anybody else that way? I mean, the whole crypto-currency thing.

That Anonymous Coward (profile) says:

So the same government who wants backdoors in encryption, just for us good guys, generates & collects exploits & doesn’t inform companies to get them patched so we can be protected, and leaves these devastating toys out in the open multiple times…

Its bad enough when windows telemetry goes apeshit & steals all my cycles, now I gotta avoid working in a cryptocoin mine made possible by the people who are supposed to protect us…
Hummm…
FBI invents terrorism plots…
TSA abuses us, robs us, runs drugs, but its only ‘isolated’ incidents…
NSA can’t pick up their own fsking toys…

Its like the government is trying very hard to harm us to keep us scared & needing their protection…. but who is protecting us from them?

Anonymous Coward says:

I think whoever is doing this could be using all the computers to mine crytpocurrency, and then wait for the statute of limitations to expire on any crimes they committed, and then cash in their cryptocurrency, pay the taxes and be done with it.

The only thing with that is that you don’t know what the value is going to be 5 years down the line, when the statute of limitations expires for any CFAA prosecutions.

It is just wit insider trading the the statute of limitations. You don’t know what the stock value is going to be 6 years down the road. Sure, someone could buy the stock, wait 6 years, and then cash in, but you don’t know what the stock value will be in six years.

Anonymous Coward says:

Re: Phew!

The main attack vector for dropping miners on Windows machines is compromised Linux servers, usually via some sort of web service framework plugin that’s been exploited.

So it doesn’t really matter if most of them are script kiddies; there are more than enough Ubuntu-targeted scripts out there to do damage, should people move from the NT kernel to the Linux kernel.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...