Remember the WannaCry ransomware that made us all want to cry? Well bad news, the base vulnerability of it is still lurking out there waiting to take your company’s infrastructure down. Our security team is still finding it on company’s systems today. The base vulnerability is called EternalBlue. (More details on Cisco’s open source security coverage here.)
A hacker group called the Shadow Brokers leaked the NSA exploit EternalBlue (yes, that NSA – the US National Security Agency) to spread WannaCry across file mounts used by Windows systems.
So what’s the new threat?
There is a new malware written using this method of spreading, dubbed WannaMine. The good news is that if you’ve patched your Microsoft systems with MS17-010 for WannaCry, you should be protected. But with this new malware popping up, I always recommend a thorough double check to make sure you are not vulnerable to other EternalBlue exploits.
It only takes one end user clicking a phishing email or with an easy to guess password to put your entire network at risk.
How is WannaMine different than WannaCry?
It doesn’t encrypt your disk, but it will steal your CPU and slow your system down. It uses the computing resources on infected systems to mine cryptocurrency (for example Bitcoin).
Cyptocoin mining isn’t new—people have been doing it from home to make a few dollars on the side for a while now. The WannaMine malware is now just doing it on a large scale using your CPU’s. They are building a huge farm of infected systems to do the cryptocoin mining instead of using their own resources.
Below I’ve put together a quick Q&A to get you up to speed and discuss how to protect your company’s infrastructure from the malware.
Q: What is WannaMine?
A: WannaMine steals the CPU cycles of an infected computer to do cryptocurrency mining on behalf of the malware owner. This will slow down your systems, as processing resources are being rerouted to serve the malware owners instead.
Q: Can this damage my computers?
A: In its purist form WannaMine will only take your CPU’s and isn’t written to destroy data or steal it. But once the malicious software is running on your computer, it’s not a far leap for the hacker to start using it to steal your critical data and intellectual property, spread ransomware or use your computer to attack other systems in your network or someone else’s.
Q: If I don’t own any cryptocurrency, am I still susceptible to this attack?
A: Yes, you are. The hackers are using your CPU to earn their own cryptocurrency, not steal any you may or may not have yourself.
Q: Can defensive software prevent WannaMine attacks?
A: Yes, security software like network and endpoint defense systems, network breach detection and vulnerability management can all form protective layers around your systems.
Q: What else can I do?
A: Confirm that you have MS17-010 installed on all of your Microsoft systems (servers and desktops). Then, ensure your end users are up-to-date on training so they don’t click on any phishing emails trying to spread this malware.
If you want to refresh your users on how to spot phishing emails (these emails can look incredibly authentic!), Lewan has developed a training module that can be delivered to your company. to schedule a session and find out more about the entire suite of infrastructure security solutions we offer our clients.