Hackers Use EternalBlue Exploit to Infect 500K Computers with Cryptominer

Over the past year, a group of hackers has used the “EternalBlue” exploit to infect more than 500,000 computers from around the world and use them to mine Monero.

According to researchers from security firm Proofpoint, who have been tracking the botnet since May 2017, the cybercriminals behind it have used the computing power of the infected systems to mine approximately 8,900 Monero coins. The value of the coins would have been between $2.8 million and $3.6 million based on this week’s Monero valuations.

Working with abuse.ch and the ShadowServer Foundation, the Proofpoint researchers succeeded to temporarily sinkhole the botnet, which has been dubbed Smominru. This allowed them to count more than 526,000 infected Windows computers.

“These nodes are distributed worldwide but we observed the highest numbers in Russia, India and Taiwan,” the researchers said in a report.

The Smominru malware, also known as Ismo, has been well-documented by other security companies over the past year, but the true size of the botnet remained unknown until now. What’s interesting is that the primary method of infection with this malware is through EternalBlue, an exploit for the Windows SMB service that’s believed to have been part of the National Security Agency’s cyber arsenal.

The same exploit has been used over the past year by other malware families, including the WannaCry and NotPetya ramsomware programs that caused hundreds of millions of dollars in losses to large multinational companies.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity,” the Proofpoint researchers said.

After the NotPetya attack last year, network scans revealed that over 40 percent of SMB-enabled computers inside large corporate networks still supported SMBv1 and the percentage was much higher in some regions of the world. Microsoft is actively discouraging the use of this decades-old version of the protocol, but until recently, it was enabled by default on all Windows versions for backward-compatibility, even if newer versions of the OS also support more secure versions of SMB.

It’s true that many companies still have old computers and devices that can only talk SMBv1, but those systems should be isolated in smaller network segments. Keeping SMBv1 enabled for all systems on enterprise networks creates unnecessary risk, especially since its code base is very old and likely to contain other serious vulnerabilities.

“It was only a matter of time before the leaked NSA exploits would be used again to distribute malware en masse,” said Tyler Moffitt, senior threat research analyst at Webroot, via email. “However, this time cybercriminals are realizing that ransomware isn’t the most profitable payload anymore. Mining cryptocurrency using victims CPU is BOOMING right now and our threat team only expects it to grow even further.”

Kaspersky Lab Fixes Serious Vulnerabilities in Secure Mail Gateway

Kaspersky Lab is advising users of its Secure Mail Gateway product to upgrade to a newly released version of the system to fix vulnerabilities that could lead to a full compromise.

The flaws were found by researchers from Core Security and were reported responsibly to Kaspersky in October. They have been fixed in Kaspersky Secure Mail Gateway 1.1 MR1.

According to the Core researchers, the management console of older versions of Kaspersky Secure Mail Gateway don’t have protection against cross-site request forgery (CSRF) attacks. This could allow attackers to hijack an administrator’s account when browsing a malicious website.

The CSRF technique could be used to overwrite a configuration file on the device, replacing the password for the administrative account with one chosen by the attacker and resulting in persistent access to the system.

The Core researchers also identified a separate vulnerability in a configuration option that could be exploited to execute arbitrary code on the device as root, as well as a privilege escalation flaw that could be used to gain root permissions from a limited account.

Finally, the researchers also found a reflected cross-site scripting (XSS) issue in the callback parameter of the importSettings action method of the web management console.

For these vulnerabilities to be exploited, authorized product administrators need to either perform deliberate malicious actions or to visit untrusted websites on the internet while being authenticated in the product’s web-based interface with the same browser, Kaspersky Lab said in an advisory.

“We recommend authorized product administrators, who do not update product version, not to use the same browser for management of KSMG product and for browsing internet,” the company said.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 98 posts and counting.See all posts by lucian-constantin