Eternally pwned: “WannaMine” still spreading, using year-old leaked NSA exploits
In May of 2017, the WannaCry attack—a file-encrypting ransomware knock-off attributed by the US to North Korea—raised the urgency of patching vulnerabilities in the Windows operating system that had been exposed by a leak of National Security Agency exploits. WannaCry leveraged an exploit called EternalBlue, software that leveraged Windows’ Server Message Block (SMB) network file sharing protocol to move across networks, wreaking havoc as it spread quickly across affected networks.
The core exploit used by WannaCry has been leveraged by other malware authors, including the NotPetya attack that affected companies worldwide a month later, and Adylkuzz, a cryptocurrency-mining worm that began to spread even before WannaCry. Other cryptocurrency-mining worms followed, including WannaMine—a fileless, all-PowerShell based, Monero-mining malware attack that threat researchers have been tracking since at least last October. The servers behind the attack were widely published, and some of them went away.
But a year later, WannaMine is still spreading. Amit Serper, head of security research at Cybereason, has just published research into a recent an attack on one of his company’s clients—a Fortune 500 company that Serper told Ars was heavily hit by WannaMine. The malware affected “dozens of domain controllers and about 2,000 endpoints,” Serper said, after gaining access through an unpatched SMB server.