Crypto Mining Malware Spreading Via SMBv1 Vulnerability
Ransomware Cryptocurrency Link
During 2017 we saw advances in security tools which have meant IT and network security managers have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files) and Ransomware detection tools has really helped to reduce the Ransomware problem.
Bitcoin is frequently associated with Ransomware as it is a popular payment type demanded by ransomware authors. There are many types of crypto currency available today which you can acquire with money or goods or you can mine them using one or more computers.
The primary purpose of mining is to allow Bitcoin nodes to reach a secure, tamper-resistant consensus. Mining is also the mechanism used to introduce Bitcoins into the system: Miners are paid any transaction fees as well as a “subsidy” of newly created coins. The image below shows an example of a large bitcoin mining rig, lots of processing power and associated cooling fans to keep it operational.
One of the new trends with Malware is the move away from data encryption to a more stealthy bitcoin mining strategy. Bitcoin mining can happen in the background. No need for any splash screens or data destruction.
Crypto Mining Malware & Association With SMBv1
Many attackers now favor anonymous cryptocurrencies, with Monero being the most prominent. Crypto currencies are popular as they are both secure, private and difficult to trace. Servers are often targeted and since many of them are not updated or patched on a regular basis, attackers have a bigger chance of success.
Recently more than 526,000 Windows hosts, mostly Windows servers, have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint. It spreads using the EternalBlue exploit (CVE-2017-0144) which targeted the SMBv1 protocol.
Crypto mining malware like this covertly mines for coins using the victim’s GPU horsepower without them knowing about it. It has potential for longer-term gains. When a computer is infected many people will fail to notice fans spinning up, or computers under higher load or just plain old not responding. A lot of those people may just pass it off as “one of those things my computer does.”
How to Detect SMBv1 Use on Your Network
As I mentioned earlier, the ExternalBlue exploit is being used by a lot of attackers to install Ransomware or Crypto Miners on victims PC’s. Systems are compromised when an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server
Because of this, you need to make sure you detect SMBv1 use on your network and switch off the protocol on any systems which has it enabled. SMBv1 has been superceeded by SMBv2 and SMBv3 which are far more efficient and secure.
However, sometimes reality is more difficult than the theory. I met with some of our LANGuardian customers this week. They said that when they disabled SMBv1 on some servers they had issues with a loss in connectivity to some printers. I also had issues in my home lab where certain Android devices lost connectivity to a NAS system when SMBv1 was disabled. The easy thing to do is to re-enable SMBv1 but that will increase the attack vector of your network.
Using LANGuardian to Detect SMBv1 Use
The video below shows how a traffic analysis tool like our own LANGuardian can be used to root out SMB1 clients and servers on your network. Make sure you can detect this activity by monitoring communication between clients and servers or check each network device to see if SMBv1 is enabled.