Hackers Using Software Vulnerability Stolen From the NSA to Illicitly Mine Crypto
In a 25-page report released Wednesday, the Cyber Threat Alliance (CTA) detailed the worrying rise of illicit cryptocurrency mining in 2018; specifically, how hackers are using a software vulnerability leaked from the NSA last year to do it.
‘They’re Drinking Your Milkshake’
Hackers appear to be gaining entry to users’ systems the same way ransomware was implanted on so many computers during the 2017 WannaCry attacks: Through a vulnerability in outdated Windows operating systems, dubbed “Eternal Blue” by the NSA.
The vulnerability was leaked in 2017 alongside other stolen NSA documents by the Shadow Brokers hacker group. The resulting attacks impacted Britain’s National Health Service (NHS) and other public institutions worldwide.
Our latest @CyberAlliance Joint Analysis has been released, highlighting the Illicit Cryptocurrency Mining Threat. And yes, they’re definitely drinking your milkshake. https://t.co/wjh5JvjYaT Thread!
— Neil Jenkins (@nejenkins) September 19, 2018
According to the report, the malware detection the hackers use to steal computing power from unknowing users for illicit mining has seen more than a 400 percent surge since 2017.
In a blog post announcing the report, entitled “They’re Drinking Your Milkshake,” Neil Jenkins, chief analytical officer at the CTA, spells out how much illicit mining has exploded and why this is such a problem:
“…illicit mining is the ‘canary in the coal mine’ of cybersecurity threats. If illicit cryptocurrency mining is taking place on your network, then you most likely have worse problems and we should consider the future of illicit mining as a strategic threat. More sophisticated actors could use–or may already by using–that same access to lay the groundwork for you to have a really bad day.”
Why You Should Care
Adding to his sentiment, Jenkins says that an influx of illegal currency into the crypto market could devalue it due to the sheer volume of new units created.
Monero, for example, appears to be at the top of the list for currencies being targeted, with 85 percent of illicit mining operations manufacturing its token, followed by Bitcoin at 8 percent and other altcoins, which account for the final 7 percent, according to Bloomberg.
Per the CTA’s findings, illegal mining is the “canary in the coal mine” of cybersecurity threats because it points to other weaknesses and vulnerabilities already present in the systems facing hacks.
A year on from Microsoft’s release of the patch for Eternal Blue, older, unpatched systems are still being hacked and other backdoors have been released as part of the stolen NSA documents. Jenkins argues that this points to a broader problem with patching and keeping up with cybersecurity standards—or what the CTA report dubs as “cyber hygiene.”
Both the wide accessibility and the ease of use of these system weaknesses means novice malevolent hackers can use them to hijack machines for illicit mining with “little upfront work or knowledge,” according to the CTA fact sheet.
Hacked computers can experience physical damage from overheating parts and slowdown from damaged data. Hacking tools, however, are becoming more sophisticated, with some not using much CPU power or ceasing operations when they detect mouse movement so that they can remain undetected for as long as possible on a host machine.
What You Can Do About It
People who’ve already downloaded the patch appear to be safe, at least from the exploitation of the Eternal Blue vulnerability, according to Microsoft Senior Director Jeff Jones, who said in an interview with Bloomberg:
“A security update was released in March 2017. Customers who applied the update are protected.”
The CTA report offers guidelines to follow and precautions people can take to protect themselves from the proliferation of this and other hacking efforts–including monitoring CPU power usage for unusual consumption, strict system privilege policies to control access to vulnerable data and checking running processes on your machine for command text used by mining malware.
The CTA predicts this threat will increase in the near future, and strongly recommends protecting your system now. Per the report:
“Given these potential impacts, illicit cryptocurrency mining is not a victimless or harmless activity. Individuals and enterprises must counter this threat.”