NSA Exploit Now Powering Cryptocurrency Mining Malware

(Mis)Uses of Technology

from the ETERNALDAMAGE dept

You may have been asked if you’d like to try your hand at mining cryptocurrency. You may have demurred, citing the shortage in graphics cards or perhaps wary you were being coaxed into an elaborate Ponzi scheme. So much for opting out. Thanks to the NSA, you may be involved in mining cryptocurrency, but you’re likely not seeing any of the benefits.

A computer security exploit developed by the US National Security Agency and leaked by hackers last year is now being used to mine cryptocurrency, and according to cybersecurity experts the number of infections is rising.

The good news is you won’t have to cough up ransom to retake control of your computer. The bad news is this doesn’t guarantee you’ll have a functioning computer.

This new attack—called WannaMine—may seem like less of a threat than WannaCry because it doesn’t lock users out of their computer. But CrowdStrike noted in a blog post laying out its findings on WannaMine that the company has observed the malware “rendering some companies unable to operate for days and weeks at a time.” WannaMine infections are also hard to detect because it doesn’t download any applications to an infected device.

This is the path the NSA’s malware has taken: from worldwide ransomware to drive-by installations of mining software. The route to infection is still the normal route: malicious links. Once inside, the malware co-opts your processor for cryptocurrency mining. If your computer happens to be part of a network, the infection will spread to connected computers, turning entire businesses into someone else’s side hustle.

The “fun” part is even patched systems can be infected. The NSA’s EternalBlue exploit may no longer work, but an attached tool called Mimikatz can still root around for login passwords to continue spreading the malware. The damage isn’t theoretical.

For companies hit by WannaMine at scale though, the cumulative effects can be disastrous, [Bryan] York [director of CrowdStrike] told me. He cited a client that recently came to CrowdStrike for help after their network was infected by WannaMine, which York said was using so much CPU power that it totally shut down their service.

“The implications of cryptocurrency mining aren’t just, ‘Oh darn, I lost some of my CPU,’” York said. “It’s actually getting in the way of how businesses conduct their operations and causing down time.”

While this isn’t the first cryptominer based on NSA exploits to hijack users’ computers, it’s the hardest to track down and kill. It contains no application files, relying on Windows tools to perform the dirty work. No files written to disk make it all but invisible. And, unlike ransomware, there’s no way to pay someone to stop using your CPU to mine Monero. You can’t even buy your way out of the problem.

This won’t be the last we’ll see of malicious software built on NSA hacking tools. It will serve as a continual reminder of the government’s untrustworthiness when it comes to secure computing, mass harvesting of data, and security tradeoffs performed without input of the majority of stakeholders.

(Counterpoint via @dril: maybe NSA-enabled cryptomining hijacking is the most patriotic thing there is.)

Filed Under: cryptocurrency, exploits, leaks, malware, miners, nsa, weapons