Unpatched systems at big companies continue to fall to WannaMine worm

Enlarge / This old mine is still yielding somebody Monero. (credit: Max Pixel (CC))

In May of 2017, the WannaCry attack—a file-encrypting ransomware knock-off attributed by the US to North Korea—raised the urgency of patching vulnerabilities in the Windows operating system that had been exposed by a leak of National Security Agency exploits. WannaCry leveraged an exploit called EternalBlue, software that leveraged Windows’ Server Message Block (SMB) network file sharing protocol to move across networks, wreaking havoc as it spread quickly across affected networks.

The core exploit used by WannaCry has been leveraged by other malware authors, including the NotPetya attack that affected companies worldwide a month later, and Adylkuzz, a cryptocurrency-mining worm that began to spread even before WannaCry. Other cryptocurrency-mining worms followed, including WannaMine—a fileless, all-PowerShell based, Monero-mining malware attack that threat researchers have been tracking since at least last October. The servers behind the attack were widely published, and some of them went away.

But a year later, WannaMine is still spreading. Amit Serper, head of security research at Cybereason, has just published research into a recent attack on one of his company’s clients—a Fortune 500 company that Serper told Ars was heavily hit by WannaMine. The malware affected “dozens of domain controllers and about 2,000 endpoints,” Serper said, after gaining access through an unpatched SMB server.