A Sense of Security Blog

Smominru: Cryptocurrency mining is the "New Black" for Cyber Criminals

Overview of Smominru Attack and Monero Currency

A rapidly growing cryptocurrency mining botnet has hijacked over half a million machines using EternalBlue, the NSA exploit that was leaked and used as part of the massive WannaCry ransomware attack that started last spring (CVE-2017-014). In addition, EsteemAudit (CVE-2017-0176) has been used to take over systems running unpatched instances of Windows Operating Systems, as well as spread the infection.

At the time this post was written, some outlets report the number of infected machines had grown to nearly one million. The Smominru miner botnet turns infected Windows machines into miners of the Monero cryptocurrency, and while estimates and valuations vary, it is widely believed that of the attack have made between $2.8 million and $3.6 million since initial attacks in May of 2017. It is also reported that an estimated $8500 (24 Monero) is being added daily to attackers’ coffers.

While bitcoin remains the most popular form of cryptocurrency, there are alternatives like Monero that are being increasingly used by cybercriminals due to privacy benefits and the ability to convert it into “physical" currency more rapidly than bitcoin.

Cryptocurrency mining exceeding ransomware?

Cisco Talos, a threat intelligence group within networking giant Cisco, issued a report that indicates the power of the attack is in leveraging high-powered processing power on servers due to the mathematical algorithms used in the attack. Along with having higher processing power, Windows servers are being targeted instead of traditional desktop systems to enabling non-stop mining as servers typically stay on and rarely need to be shut-off or rebooted often.

The implication here, is that the ease of which money is made through mining makes it more lucrative for cyber criminals to focus their efforts on infecting these systems versus pushing ransomware. This is even more true when organizations remain unaware their servers have become part of a mining botnet like Smominru, despite the impact it has on performance due to the compute required. So, the mining can go on in perpetuity being a total cash cow compared to a ransomware gain.

Smominru has worm-like features due to using EternalBlue that infects new nodes and expands the reach of the botnet mining operation by finding and attacking vulnerable and unpatched Windows machines. So that $8500 per day number is probably only growing. This can be lucrative for cyber criminals and with little effort on their part except to sit back and collect the money faster starting to make it more popular than ransomware as the weapon of choice.

The security industry fails again!

Many vendor solutions, like NAC/Internet of Things (IoT) security, Vulnerability Management, and even SIEM claim to discover networks/endpoints and offer greater network visibility; however, most these solutions are based on performing partial or even full packet captures on known networks and discovering endpoints based on them requesting formal access to the network or via events. These solutions can miss large chunks of endpoint devices and even whole networks. At Lumeta we have found that on average over 20 percent of infrastructure is unknown, whether it is rogue networks, unmanaged endpoints, shadow IT or malicious actors. This coupled with an outdated operating system, it’s no surprise that 99 percent1 of the time, attackers can easily compromise an organization within minutes.

Most vendors that claim continuous monitoring of vulnerable infrastructure not only rely on easily discovered or known assets but are also failing to monitor the network in real-time. Many of these solutions will focus on monitoring endpoint activity while not effectively monitoring the network in real-time for suspect changes. To many of these solutions, “continuous” monitoring really means periodic, where they poll network elements and endpoints. An attacker can use this polling interval to do plenty of damage, essentially hiding in between. These solutions can miss identifying activity like WannaCry or Smominru, which were also able to open a path to a known malicious domain and transmit data.

These infections can be prevented, let alone stopped

Lumeta works by partnering with several endpoint vendors before an attack even. Lumeta’s flagship product, Lumeta Spectre, recursively and authoritatively indexes all connected endpoints (plus all networks and devices), whether physical, mobile, virtual, cloud. And, in real time, Lumeta Spectre immediately detects and monitors new devices connecting to the network. Lumeta Spectre, integrated with or working side-by-side with today’s leading endpoint security vendors, enables IT organizations to obtain real-time network visibility for endpoint security across the entire enterprise network. With Lumeta, the Windows systems that went unpatched would have been identified and flagged well before to provide an opportunity to upgrade older OS, patch existing systems and install current endpoint security tools much sooner.

Another critical factor in preventing cyberattacks, is being able to find any unauthorized or left-open leak paths to the Internet that miners could use to transmit the malware code and then once the mining software is active, the data to malicious collection sites. Locking these down is critical to prevent successful mining operations.

These same security processes are used during an attack that is already in progress. Lumeta Spectre works to discover any new leak paths being created by attackers for the purposes of transmitting more software or communicating to external collections servers.

To learn more about Lumeta Spectre and how to find a better way to combat cryptocurrency mining attacks, visit: http://www.lumeta.com/products/