Criminal campaign uses leaked NSA tools to set up cryptomining scheme, Trend Micro says
Since March, criminals have been using hacking tools that were reportedly stolen from the National Security Agency in targeting companies around the world as part of a cryptomining campaign, researchers with cybersecurity company Trend Micro said Thursday.
The broad-brush campaign has hit organizations in the banking, manufacturing and education sectors, among others, Trend Micro says. The criminals are essentially hijacking corporate computing power to harvest the cryptocurrency Monero. It’s hardly a new concept, but in this case it’s a reminder that tools deployed by state-sponsored hackers can also be used by relatively unskilled crooks more interested in making money than in spying.
“Entry-level cybercriminals are gaining easy access to what we can consider ‘military-grade’ tools — and are using them for seemingly ordinary cybercrime activity,” Trend Micro researchers wrote in a blog post.
The attacks are exploiting old versions of Microsoft Windows using a variant of a backdoor based on the EternalBlue exploit, Trend Micro said. EternalBlue is a vulnerability-abusing technique reportedly developed by the NSA that was dumped online in April 2017 by a mysterious group known as the Shadow Brokers. It has since been used in a series of attacks, including the 2017 WannaCry ransomware infections, which compromised computers in over 150 countries and caused billions of dollars in damage. Citing forensic evidence, U.S. officials have blamed the North Korean government for WannaCry.
The NSA has declined to publicly address the Shadow Brokers’ leaks. The New York Times reported last month that criminal hackers had used EternalBlue to spread ransomware on the City of Baltimore’s IT infrastructure. While not addressing the substance of The Times report, NSA senior adviser Rob Joyce has said there was no “indefensible” nation-state-built tool that is responsible for the spread of ransomware and network administrators have a responsibility to patch their systems.
It’s been over two years since Microsoft issued a patch for EternalBlue, but the failure of many businesses to update their systems is still haunting them. The hackers in the campaign flagged by Trend Micro aren’t even targeting specific industries, but are just seeking out organizations that use old software.
The Trend Micro researchers found over 80 files involved in the campaign that are all variants of an open-source tool for mining Monero cryptocurrency. Over half the organizations targeted were in China, India, and Vietnam, according to Trend Micro. Only companies, and not individuals, were sought out. Two U.S. companies were affected by the campaign, one in the tech industry and another in an unidentified sector, according to the researchers.