Top
Eternally pwned: “WannaMine” still spreading, using year-old leaked NSA exploits – ANITH
fade
220308
post-template-default,single,single-post,postid-220308,single-format-standard,eltd-core-1.1.1,flow child-child-ver-1.0.0,flow-ver-1.3.6,eltd-smooth-scroll,eltd-smooth-page-transitions,ajax,eltd-blog-installed,page-template-blog-standard,eltd-header-standard,eltd-fixed-on-scroll,eltd-default-mobile-header,eltd-sticky-up-mobile-header,eltd-dropdown-default,wpb-js-composer js-comp-ver-5.0.1,vc_responsive

Eternally pwned: “WannaMine” still spreading, using year-old leaked NSA exploits

Eternally pwned: “WannaMine” still spreading, using year-old leaked NSA exploits

Enlarge / This old mine is still yielding somebody Monero. (credit: Max Pixel (CC))

In May of 2017, the WannaCry attack—a file-encrypting ransomware knock-off attributed by the US to North Korea—raised the urgency of patching vulnerabilities in the Windows operating system that had been exposed by a leak of National Security Agency exploits. WannaCry leveraged an exploit called EternalBlue, software that leveraged Windows’ Server Message Block (SMB) network file sharing protocol to move across networks, wreaking havoc as it spread quickly across affected networks.

The core exploit used by WannaCry has been leveraged by other malware authors, including the NotPetya attack that affected companies worldwide a month later, and Adylkuzz, a cryptocurrency-mining worm that began to spread even before WannaCry. Other cryptocurrency-mining worms followed, including WannaMine—a fileless, all-PowerShell based, Monero-mining malware attack that threat researchers have been tracking since at least last October. The servers behind the attack were widely published, and some of them went away.

But a year later, WannaMine is still spreading. Amit Serper, head of security research at Cybereason, has just published research into a recent an attack on one of his company’s clients—a Fortune 500 company that Serper told Ars was heavily hit by WannaMine. The malware affected “dozens of domain controllers and about 2,000 endpoints,” Serper said, after gaining access through an unpatched SMB server.

Read 5 remaining paragraphs | Comments

Source link

Anith Gopal
No Comments

Post a Comment

four × three =

This site uses Akismet to reduce spam. Learn how your comment data is processed.