SoylentNews

upstart writes in with a submission, via IRC, for SoyCow4463.

Hackers Infect Businesses with CryptoMiners Using NSA Leaked Tools:

Security researchers have discovered an ongoing cryptojacking campaign which infects unpatched computers of businesses from all over the world with XMRig Monero miners using Equation group's leaked exploit toolkit.

The cybercriminals behind this cryptomining campaign use the NSA-developedEternalBlue and EternalChampion SMB exploits to compromise vulnerable Windows computers, exploits which were leaked by the Shadow Brokers hacker group in April 2017.

While Microsoft patched the security flaws these tools abused to break into Windows machines [1, 2, 3], there are still a lot of exposed computers because they haven't been updated to newer OS versions not being impacted by these very dangerous vulnerabilities.

[...] The hackers are using a "shotgun" method of attack, choosing to compromise any vulnerable machine they can find and not stopping to cherry-pick as it happens in the targeted attacks conducted by experienced malicious actors which usually impact companies.

This shows that "entry-level cybercriminals are gaining easy access to what we can consider “military-grade” tools — and are using them for seemingly ordinary cybercrime activity."

[...] An auto-spreading EternalBlue-based backdoor and a variant of the Vools Trojan is used as the main tool to deploy roughly 80 variants of the XMRig cryptocurrency miners on infected computers, using five different mining configurations with similar usernames and identical passwords.

The cryptominer binary is always dropped in the infected system's system32 or SysWOW64 folders, with the miner variant being the one which decides what folder is chosen to drop the XMRig payload.

Original Submission