NSA Exploit Now Powering Cryptocurrency Mining Malware

from the ETERNALDAMAGE dept

Tue, Feb 20th 2018 3:25am — Tim Cushing

You may have been asked if you'd like to try your hand at mining cryptocurrency. You may have demurred, citing the shortage in graphics cards or perhaps wary you were being coaxed into an elaborate Ponzi scheme. So much for opting out. Thanks to the NSA, you may be involved in mining cryptocurrency, but you're likely not seeing any of the benefits.

A computer security exploit developed by the US National Security Agency and leaked by hackers last year is now being used to mine cryptocurrency, and according to cybersecurity experts the number of infections is rising.

The good news is you won't have to cough up ransom to retake control of your computer. The bad news is this doesn't guarantee you'll have a functioning computer.

This new attack—called WannaMine—may seem like less of a threat than WannaCry because it doesn’t lock users out of their computer. But CrowdStrike noted in a blog post laying out its findings on WannaMine that the company has observed the malware “rendering some companies unable to operate for days and weeks at a time.” WannaMine infections are also hard to detect because it doesn’t download any applications to an infected device.

This is the path the NSA's malware has taken: from worldwide ransomware to drive-by installations of mining software. The route to infection is still the normal route: malicious links. Once inside, the malware co-opts your processor for cryptocurrency mining. If your computer happens to be part of a network, the infection will spread to connected computers, turning entire businesses into someone else's side hustle.

The "fun" part is even patched systems can be infected. The NSA's EternalBlue exploit may no longer work, but an attached tool called Mimikatz can still root around for login passwords to continue spreading the malware. The damage isn't theoretical.

For companies hit by WannaMine at scale though, the cumulative effects can be disastrous, [Bryan] York [director of CrowdStrike] told me. He cited a client that recently came to CrowdStrike for help after their network was infected by WannaMine, which York said was using so much CPU power that it totally shut down their service.

“The implications of cryptocurrency mining aren't just, ‘Oh darn, I lost some of my CPU,’” York said. “It's actually getting in the way of how businesses conduct their operations and causing down time.”

While this isn't the first cryptominer based on NSA exploits to hijack users' computers, it's the hardest to track down and kill. It contains no application files, relying on Windows tools to perform the dirty work. No files written to disk make it all but invisible. And, unlike ransomware, there's no way to pay someone to stop using your CPU to mine Monero. You can't even buy your way out of the problem.

This won't be the last we'll see of malicious software built on NSA hacking tools. It will serve as a continual reminder of the government's untrustworthiness when it comes to secure computing, mass harvesting of data, and security tradeoffs performed without input of the majority of stakeholders.

(Counterpoint via @dril: maybe NSA-enabled cryptomining hijacking is the most patriotic thing there is.)

io love helping the economy by fucking up while doing downloads and getting 100 coin miners installed on my pc

— wint (@dril) February 4, 2018

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cryptocurrency, exploits, leaks, malware, miners, nsa, weapons

26 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 20 Feb 2018 @ 3:19am

There are other vectors out there that aren't nearly as stupid as this one. I explain: while it uses sophisticated means to infect computers and evade detection via AV or something it becomes obvious you have a problem once your computer/network becomes unusable due to high CPU load. I've read about some malware strains that limit the CPU usage to something less glaring that make it quite hard for the regular user to detect there's something wrong.

Also, even if it is an NSA exploit I will note that even if the NSA had disclosed it properly the thing is still exploitable even in patched systems so I would point my accusing finger at the NSA in the few months after the exploit went into the wild after they sat on it for who knows how long instead of working with devs to patch it. This time they aren't as guilty ;)
[ link to this | view in chronology ]
- Rosie-Redstar (profile), 20 Feb 2018 @ 5:11am
  
  Re:
  Even with the 'the thing is still exploitable even in patched systems' angle...
  
  The initial breach of a network has to logicly come from either a already infected computer joining the network, or through an unpatched computer already on the network.
  
  In the very early existence of the malware, there wasn't as many already infected networks, meaning less infected computers to spread it across networks.
  
  This means the very first breaches had to be done via the exploit.
  
  Given this, the NSA is responsible for (excuse my likely poor metaphor here) the technological equivalent of attempting a controlled demolition of a couple building and leveling most of the town as collateral damage.
  [ link to this | view in chronology ]
- charliebrown (profile), 20 Feb 2018 @ 2:38pm
  
  Re:
  What if it's actually put out there by the NSA to make up for all their apparent budget shortfalls?
  
  Maybe this is the work of the police and it will slowly replace civil forfeiture as a means of supplementing their budget?
  
  [/s]
  [ link to this | view in chronology ]
Miss Taranza Arnold, 20 Feb 2018 @ 4:19am

conscious drilling
Dear Govt.
Please fuck off forever.
signed the next gun attack vector for you government cunts
[ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2018 @ 6:43am
  
  Re: conscious drilling
  Government has murdered more, oppressed more, and stolen more than all war and crime combined throughout history.
  
  Yet people still call to ask it to take on ever more responsibilities.
  [ link to this | view in chronology ]
  - OA (profile), 20 Feb 2018 @ 7:45am
    
    Re: Re: conscious drilling
    A different person with a different ax to grind will say the same thing about religion.
    
    To misquote Shakespeare, "All the world's a rhetorical weapon".
    [ link to this | view in chronology ]
  - Anonymous Coward, 20 Feb 2018 @ 9:30am
    
    Re: Re: conscious drilling
    Government is a construct.
    People commit murder, using said construct as cover.
    And you want want others to blame the construct not the person. This is similar to the bullshit used to protect bad LEOs.
    [ link to this | view in chronology ]
    - Anonymous Coward, 20 Feb 2018 @ 12:27pm
      
      Re: Re: Re: conscious drilling
      Can you not see the correlation between bad LEOs and mass murderers being a systemic problem, or, if you will, a problem with the construct?
      [ link to this | view in chronology ]
      - OA (profile), 20 Feb 2018 @ 1:11pm
        
        Re: Re: Re: Re: conscious drilling
        "Government" is a type of construct.
        A specific government is a construct.
        
        One should not "blame the <type of> construct not the person". As we all know, a construct can be systemically corrupt.
        
        Clear(er)?
        [ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2018 @ 4:30am

and everyone else is a thief/terrorist/bad person and the US govt and security services are all sqeaky clean! yeah right!!
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 20 Feb 2018 @ 4:58am

A close analogy
That whole thing you describe about crypto-currency and how it takes over your computer, it made me think EXACTLY about my hot girlfriend, is that strange or what? When you talked about the malware taking control of the computer, it’s just like when she takes control of my existence! I mean, you remember the scene in Avatar when the crippled army guy climbs the anti-gravity mountains and tries to select a dragon to ride and he asks his hot girlfriend how he will know the right dragon and his hot girlfriends tells him “if she tries to kill you, she is for you”. I mean, that’s my hot girlfriend, she is that dragon, totally. And when I ride her, it sounds exactly like your whole crypto-currency computer-hijacking example, wow, like my will is gone and I have no cycles left I am only for her dropping from the sky with wings spread wide and them WHAM, recovering just before splattering on a rocky bed of ferns. I mean exactly, that’s what I thought of when I read this article. Did it hit anybody else that way? I mean, the whole crypto-currency thing.
[ link to this | view in chronology ]
- That Anonymous Coward (profile), 20 Feb 2018 @ 5:38am
  
  Re: A close analogy
  Dude, its to early for meth.
  [ link to this | view in chronology ]
  - Thad, 20 Feb 2018 @ 9:20am
    
    Re: Re: A close analogy
    It's meth o'clock somewhere!
    [ link to this | view in chronology ]
- I.T. Guy, 20 Feb 2018 @ 6:29am
  
  Re: A close analogy
  You mean the one you knocked up that ended up leaving you three years later.
  
  "Did it hit anybody else that way?"
  EXACTLY!!! Couldn't have said it better myself.
  [ link to this | view in chronology ]
Jim, 20 Feb 2018 @ 5:40am

Actually!
So, that's how some of the government's contractors are increasing their profits?
[ link to this | view in chronology ]
That Anonymous Coward (profile), 20 Feb 2018 @ 5:43am

So the same government who wants backdoors in encryption, just for us good guys, generates & collects exploits & doesn't inform companies to get them patched so we can be protected, and leaves these devastating toys out in the open multiple times...

Its bad enough when windows telemetry goes apeshit & steals all my cycles, now I gotta avoid working in a cryptocoin mine made possible by the people who are supposed to protect us...
Hummm...
FBI invents terrorism plots...
TSA abuses us, robs us, runs drugs, but its only 'isolated' incidents...
NSA can't pick up their own fsking toys...

Its like the government is trying very hard to harm us to keep us scared & needing their protection.... but who is protecting us from them?
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2018 @ 6:09am

I think whoever is doing this could be using all the computers to mine crytpocurrency, and then wait for the statute of limitations to expire on any crimes they committed, and then cash in their cryptocurrency, pay the taxes and be done with it.

The only thing with that is that you don't know what the value is going to be 5 years down the line, when the statute of limitations expires for any CFAA prosecutions.

It is just wit insider trading the the statute of limitations. You don't know what the stock value is going to be 6 years down the road. Sure, someone could buy the stock, wait 6 years, and then cash in, but you don't know what the stock value will be in six years.
[ link to this | view in chronology ]
Anonymous Coward, 20 Feb 2018 @ 7:27am

Phew!
"... relying on Windows tools..."

Man, am I glad the NSA consists mostly of skiddies who couldn't even install something as simple as Ubuntu if their lives depended on it.

America is so fucking behind the rest of the world. Just fall already.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2018 @ 9:34am
  
  Re: Phew!
  Shouln't judge the group by a few idiots at the top.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Feb 2018 @ 12:30pm
    
    Re: Re: Phew!
    Unfortunately, the cream rises to the top?
    [ link to this | view in chronology ]
    - Anonymous Coward, 20 Feb 2018 @ 4:06pm
      
      Re: Re: Re: Phew!
      Politics is not dairy related, however it does come out of the same end of the cow.
      [ link to this | view in chronology ]
- Anonymous Coward, 20 Feb 2018 @ 12:12pm
  
  Re: Phew!
  The main attack vector for dropping miners on Windows machines is compromised Linux servers, usually via some sort of web service framework plugin that's been exploited.
  
  So it doesn't really matter if most of them are script kiddies; there are more than enough Ubuntu-targeted scripts out there to do damage, should people move from the NT kernel to the Linux kernel.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Feb 2018 @ 6:36pm
    
    Re: Re: Phew!
    > there are more than enough Ubuntu-targeted scripts out there to do damage, should people move from the NT kernel to the Linux kernel.
    
    That's what BSD is for.
    [ link to this | view in chronology ]
- orbitalinsertion (profile), 20 Feb 2018 @ 12:31pm
  
  Re: Phew!
  The NSA didn't writer the miner...
  [ link to this | view in chronology ]
Coyne Tibbets (profile), 20 Feb 2018 @ 12:33pm

Wonder who is running WannaMine? CIA maybe?
[ link to this | view in chronology ]
- Toom1275 (profile), 20 Feb 2018 @ 2:09pm
  
  Re:
  It's their backup funding source for the day "because terrorism!" stops working.
  [ link to this | view in chronology ]