WannaMine - Crypto Currency Mining Malware On The Rise

R

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
Last year, a Windows exploit developed by the NSA was leaked called EternalBlue. That exploit was then used to initiate the WannaCry and NotPetya cyberattacks. Now it seems the same EternalBlue exploit is being used to infect computers with a new strain "WannaMine." After infection, the script uses Powershell and Windows Management Instrumentation. It first uses a tool called "Mimikatz" to pull logins and passwords from system memory, and if that fails, WannaMine uses EternalBlue to force it's way in.

This is starting to get a little ridiculous. Crowdstrike goes into how it detected and defeated WannaMine on client's systems, but also states that WannaMine is fileless, and since it uses legitimate system software to run, makes it nearly impossible for organizations to block it without "some form of next-generation antivirus."

CrowdStrike expects to see much more cryptomining activity in 2018, resulting in business disruptions and downtime that can impact the bottom line. As organizations and companies come to understand how these traditionally unsophisticated actors are using increasingly sophisticated tactics, they can take a vital step toward promoting a stronger security posture and avoiding unnecessary interruptions that can affect critical business processes.
 
Looks like most of that gets blocked by proper edge device firewall rules(default block everything) and using a script blocker on the client. No need for "Advanced Antivirus", just good basic security practices.
 
Requires a *patched* exploit or creds to propagate.

Big deal. People who get hit by this deserve it.
 
I am starting to think the government should seize crypto in some broad, unconstitutional interpretation of RICO. Yes, Im joking.
 
Unless people have high end GPU's in their system, I can't imagine there would be much of a return in crypto mining using the CPU of an infected system.
 
The most concerning thing I'm seeing more often is how code is getting injected into legitimate processes and existing as fileless malware. I know it's not new, but it seems to be increasing and getting more dangerous.
 
Patton187 said:
I am starting to think the government should seize crypto in some broad, unconstitutional interpretation of RICO. Yes, Im joking.
Click to expand...

For the sake of argument, which government? This "government should just shut down crypto" statement comes up fairly frequently so I'm curious how you think a single government can seize/control/shutdown what is global and decentralized. It's about as meaningful as one country believing they can shut down the internet, or "ban TCP/IP".
 
Just because it's "fileless" does not mean it is artifactless. Also...If enterprises haven't patched against WCry and nPetya by now.... Will they ever? lol
 
nutzo said:
Unless people have high end GPU's in their system, I can't imagine there would be much of a return in crypto mining using the CPU of an infected system.
Click to expand...
You would be surprised. An AMD FX 8 core cpu earns over a dollar per day.
 
odditory said:
For the sake of argument, which government? This "government should just shut down crypto" statement comes up fairly frequently so I'm curious how you think a single government can seize/control/shutdown what is global and decentralized. It's about as meaningful as one country believing they can shut down the internet, or "ban TCP/IP".
Click to expand...

It's quite easy. I'm not going to repeat myself.

Jesus people are short sighted. (Edited)
 
Last edited by a moderator:
Schtask said:
Just because it's "fileless" does not mean it is artifactless. Also...If enterprises haven't patched against WCry and nPetya by now.... Will they ever? lol
Click to expand...

A lot of machines that are hard to locate or update run old os systems that can't be updated. Like getting support patch for an 8 year old network printer.

But don't worry the NSA says these hacks are aimed at more technically inferior nations. So we should stop worrying.

You put firecrackers in the hands of young hackers that created them, they all think it's safe till it goes off in their hand.
 
Last edited by a moderator:
bugleyman said:
Short-sited? Is that like running out of URLs?
Click to expand...

I will admit my proofing and English skills are horrid. if people just read my papers and didn't look at my final work they would think me an idiot.

Thanks for the catch.
 
DigitalGriffin said:
I will admit my proofing and English skills are horrid. if people just read my papers and didn't look at my final work they would think me an idiot.

Thanks for the catch.
Click to expand...

Hope that wasn't too snarky....just trying to lighten the mood a bit. (y)
 
So is it safe to assume that this exploit only affects Windows operating systems?
 
You must log in or register to reply here.
Back
Top