The canary in the cryptomine

EternalBlue, the software vulnerability that crippled hundreds of thousands of devices is still alive. And it’s been fitted with a deadly strain of crypto-jacking malware.

8 min read
Jack, a crypto-jacking victim. Using EternalBlue, such attacks could happen on a wider scale. PHOTO CREDIT: Andrew Brandt

Andrew Brandt breeds viruses on a rack of computers that live in his home. “It’s my lil’ malware zoo,” says the cybersecurity researcher. His goal, he explains, is to see how a given virus or malware acts when it is “left to its own devices.” All his mechanical victims have to do is “just sit there and be infected.” Most of the time, the computers live to see another day.

But not always. In 2017, Jack, an aging Dell D620 laptop, and one of Brandt’s most long-suffering victims, was receiving its regular dose of malicious software from some dark reach of the Internet. This time, however, Jack had the bad luck to come down with a fatal infection, a “crypto-jacking” malware that drained its power to mine cryptocurrencies for remote hackers. By morning, Jack was dead.

The sickness that took Jack is spreading. Crypto-jacking is a global epidemic—in just the past year, attacks have surged by 459 percent, running up billions of dollars in utility costs and infrastructural damage, according to a report published recently by the Cyber Threat Alliance, a loose collective of cybersecurity research firms. Most troublingly, the report—which Brandt, a principal researcher at cybersecurity company Sophos, co-wrote—found that many crypto-jackers are now using EternalBlue, a leaked NSA infiltration weapon that was presumed extinct, to spread their infections.

EternalBlue was behind the two most devastating cyber attacks in history. On May 12, 2017, hackers used the exploit to engineer the so-called WannaCry attack, which temporarily paralyzed some 200,000 devices across 15 countries, including thousands of medical devices in publicly owned UK hospitals. The NotPetya attack, weeks later, used EternalBlue to devastate IT infrastructure in Ukraine, racking up a further $10 billion in damages globally.

Yet where observers worldwide saw digital chaos, crypto-jackers, evidently, saw opportunity.

EternalBlue: The early years

EternalBlue was born in an NSA laboratory on an unknown date. Researchers with the agency had discovered a way to trick computers into shutting each other down, using a vulnerability buried deep within version one of Server Message Block, a 25-year-old Windows protocol that permits computers and devices to communicate and move files between one another across a local network.

From a distance, the researchers discovered, savvy hackers could overwhelm and hijack computers running SMB-1 by sending them lethally large messages, allowing them to then execute arbitrary code on the infected system. They could, for instance, run malware scripts as a kind of secondary infection, or “payload,” the digital equivalent of a jet dropping paratroopers behind enemy lines.

"Cryptomining runs the processor at full speed until infinity. If no-one stops [this], it can destroy older machines." Andrew Brandt, principal researcher at cybersecurity firm Sophos.

The vulnerability, and the means of exploiting it, came to be known as EternalBlue. Yet instead of reporting the vulnerability to Microsoft, the researchers simply took note of it, and sat on it. And for a while, it remained the NSA’s little secret. Until it was leaked.

On April 14, 2017, a Twitter account associated with the Shadow Brokers, an anonymous hacking collective that regularly leaks NSA files, tweeted the files for EternalBlue as part of an enormous NSA data dump. Followers could download and open the files with the password “Reeeeeeeeeeeeeee.” (“Reeeeeeeeeeeeeee” is supposed to resemble the sharp inhalation of a frog, and was appropriated as an ironic expression of nerd rage by several fringe Reddit communities.) The WannaCry and NotPetya attacks came swiftly after.

Now, though Microsoft quickly released comprehensive patches to contain it, EternalBlue has re-emerged in popular, and deadly, crypto-jacking malware. Smominru, which mines privacy coin Monero, has reportedly been used to illicitly mine between $2.8 and $3.6 million-worth of Monero overall, roughly $8,500 each day. Others, including PowerGhost, MassMiner, and WannaMine, are being used to target “countless” (there’s no official number) devices, according to the Cyber Threat Alliance report.

Mining pains

EternalBlue’s resurgence, says Brandt, begins with a “sad truth.” Individual crypto-jackers, he explains, are not making much money; “It’s usually pennies.” More often than not, he adds, the process simply destroys the infected computers, incurring a cost for the victim and wasting time for the hacker. To illustrate, he explains how Jack died.

Once Jack got infected by the crypto-jacking malware, Brandt went to bed. “I didn’t look at the machine until the morning after,” he recalls. To his dismay, he found he was unable to restart it. So he dismantled Jack and took out a digital microscope he’d recently bought, and took a good micro-look at the motherboard. The crypto-jacking software, he says, had “caused the solder to melt and flow across the chip, and create bridges.”

It was a literal meltdown. The computer had bled, congealed, and died. Now it “doesn’t even show the startup screen.”

"This is the scary thing about exploits that are leaked. They come with a proof of concept, a code that is readily available. You just execute this code at this specific target or server, and it’ll do the rest."Terrance DeJesus, researcher at cybersecurity firm NTTSecurity.

“Cryptomining runs the processor at full speed until infinity,” Brandt explains. “If no-one stops  [this], it can destroy older machines.” With Jack, the “fan was failing,” he explains, mournfully. “It was enough to push it over the edge. It’s basically dead now.”

That’s not great for the victim, but it’s not great for the hacker either. Because infected computers are liable to wither and die, hackers can only hope to generate a tiny, if steady, dribble of profit from their operations, a “cash-cow continually feeding you pennies per machine,” says Brandt. Ransomware, on the other hand, generates a single, one-off payday.

So it makes sense, operationally, to spread infections in the laziest way possible. EternalBlue facilitates this by self-propagating, without a user’s consent, from unpatched computer to unpatched computer, with zero effort from the hacker. The “pennies” generated by attacks, given time, will eventually amass into a mean profit. It’s the crypto-jacker’s dream.

EternalBlue’s Eternal Charm

Indeed, it’s frighteningly easy to use. Hackers need only scan for Port 445, an online portal through which unpatched SMB-1 protocols broadcast their existence, then run the EternalBlue code—generously prepared by the NSA—through an input box. The infected system will quickly overload, allowing the hacker to reprogram it with the desired malware.

“This is the scary thing about exploits that are leaked,” says Terrance DeJesus, a researcher at cybersecurity firm NTTSecurity. “They come with a proof of concept, a code that is readily available. You just execute this code at this specific target or server, and it’ll do the rest.”

"There are large segments of the IT administrator world that don’t patch rapidly or don’t patch at all. You can’t rely on the human element."Terrance DeJesus.

EternalBlue is also “wormable.” Once it’s safely inside its host, it will hijack the SMB-1 protocol’s communications system to automatically scan for more potential victims to infect. Equipped with EternalBlue, crypto-jackers can easily spread their malware far and wide, maximizing the processing power they can commandeer to generate illicit profit for themselves.

Brandt experienced EternalBlue’s self-propagating terror firsthand. In his malware zoo, he set up a fake SMB-1 protocol, or “honeypot.” Before long, he noticed that “inbound connections” running EternalBlue were attempting to exploit the faux-vulnerability and take control of the computer’s system.

Human failure

But why, if it was patched, does EternalBlue still work? DeJesus chalks it up to human failure. “There are large segments of the IT administrator world that don’t patch rapidly or don’t patch at all,” he says. “You can’t rely on the human element.”

An IT consultant, who prefers to remain anonymous, puts it down to institutional apathy. “When there’s a new patch, we just can’t be bothered,” he admits. “It means we have to...organize shit.”

Other times, patches aren’t feasible; old, creaking IT systems suffer fatally from even the most minor software upgrade. “There are large parts of the world with pirated copies of Windows that cannot receive patches,” says Brandt.

Regardless, patches are often ineffective anyway, says Alex Hinchcliffe, a researcher at cybersecurity firm Palo Alto Networks. Worms like EternalBlue, once spread, remain alive in their victims, scanning for “other vulnerable machines to infect."

Some malware possess talents in espionage, and can subvert patches entirely. PowerGhost, for instance, can disable antivirus software and scrape personal data—passwords and the like—before launching an assault, giving it several means of entry.

PowerGhost gets even more disturbing: it also "disables competing cryptocurrency miners to maximize CPU usage, and disables the computer’s sleep and hibernation modes to maximize its mining time," says Anthony Giandomenico, a senior security strategist at Fortinet FortiGuard Labs. 

Catastrophe 2.0

In the future, says Brandt, mining work will demand so much power that the costs, for regular miners, will vastly exceed the benefits. But what do hackers care? They’re not footing the bill.

Indeed, rather than deter hackers, this will simply increase the damage they must inflict on computers to yield a profit; if hackers destroy thousands of computers with minimal returns, they lose very little themselves.

With this in mind, Brandt says it’s possible another large organization, similar to the NHS, could be vulnerable to a wide scale EternalBlue-powered crypto-jacking attack, which would be significantly more devastating, and costly, than any ransomware attack.

"PowerGhost...disables competing cryptocurrency miners to maximize CPU usage, and disables the computer’s sleep and hibernation modes to maximize its mining time."Anthony Giandomenico, a senior security strategist at Fortinet FortiGuard Labs. 

And all it would take to set off a string of such ruinous infections, he explains, would be a single unpatched “Typhoid Mary” in a system’s computer network. Compounding the lateral spread of EternalBlue with the destructive capabilities of crypto-jacking software, he adds, could generate enough heat to start an inferno.

So Brandt’s advice to the fearful? Eternal vigilance. Diligently observe the streams of outbound and inbound connections that swirl around your computer. Crypto-jacking malware must constantly communicate, back and forth, with its control server, a correspondence that is “readily visible,” he says. “Beware of this traffic,” he warns, because a computer touched by EternalBlue is the “canary in the coalmine.”

“It’s a sign that something has gone terribly wrong.”

Read next: Blockchain's Mechanical Turk 

Want to be a crypto expert? Get the best of Decrypt straight to your inbox.

Get the biggest crypto news stories + weekly roundups and more!