Users of tech services in Ottawa should know about cryptocurrency mining malware and the negative effects they can have on their systems. For those unaware of cryptocurrency mining malware, they are viruses that stealthily install software on to vulnerable systems that a malicious actor is not authorized to access, to mine for cryptocurrencies leading to financial gain for the attacker. Below are 3 different flavors of this type of malware with a brief explanation of how they gain a foothold in a vulnerable environment.
Smominru: Smominru also known as Ismo infect Windows computers to mine for Monero cryptocurrency. So far to date, the mining botnet has amassed 8,900 Monero, worth approximately US$3.6 million, and is currently mining 24 Monero a day. the command and control channel is hosted on DDoS protection service, SharkTech, which has been told of the abuse but has ignored the alerts. Smominru is using the EternalBlue exploit to gain access to vulnerable machines, which tend to be servers running Windows Server 2003 and 2008 R2. This is the same exploit that was used in the WannaCry ransomware which was quite prolific in the summer of 2017. Users of managed services in Ottawa need not worry if their Windows servers are up to date, as a patch for EternalBlue was released in March 2017.
WannaMine. Like Smominru, WannaMine uses the EternalBlue exploit, but before it tries EternalBlue it uses password cracking software to steal legitimate credentials to move across a network laterally. WannaMine also has a couple of other differing characteristics to Smominru. WannaMine is described as “fileless”, as it uses tools built into its targets to reach its objective. WannaMine uses Windows Management Instrumentation event subscriptions and PowerShell to go about its functions. This makes WannaMind incredibly hard to detect, so much so that traditional anti-virus software solutions can let it slip past. Users of computer services in Ottawa will be happy to know that they can use these methods to protect against WannaMind. Keeping software up to date through patching to defend against the EternalBlue exploit, and ensuring that strong passwords are you used by staff who use your network to stop the password cracking methods from being successful.
CoinHive: CoinHive takes a very different approach to Smominru and WannaMine. CoinHive uses scripts embedded into infected sites, that when visited will begin mining on the visitor’s machine. Although CoinHive itself is a legitimate JavaScript that can be used on websites, usually the visitor is asked if they would allow that their machine be used for the cryptocurrency mining. In an attack on many British websites, users were not asked, and the activity only came into the light when a cyber security researcher was asked by a friend why his anti-virus software was having issues with a UK government website. Although CoinHive largely targeted US, UK and Irish website, still presents a risk to companies who use IT in Ottawa. Youtube was subject to CoinHive too, and no doubt this will not be the last time CoinHive will be mentioned.
Cryptocurrency mining malware has become more than just a nuisance over the past 6 months. Some experts are reporting permanent damage caused to machines as a result of prolonged detection times. Clients of Ottawa IT consulting should be on the lookout for telltale symptoms of cryptocurrency mining malware such as heavy CPU utilization, fans on devices running constantly, and machines slowing down under typical workload.