A massive cryptocurrency mining botnet has taken over half a million machines and may have made its cybercriminal controllers millions of dollars - and the whole operation is powered by EternalBlue, the leaked NSA exploit which made the WannaCry ransomware outbreak so destructive.
The Smominru miner botnet turns infected machines into miners of the Monero cryptocurrency and is believed to have made its owners around $3.6 million since it started operating in May 2017 - about a month after EternalBlue leaked and around the same time as the WannaCry attack.
While it isn't uncommon for cybercriminals to leverage the power of hijacked networks of computers to acquire cryptocurrencies, this particular network is significant in its individual size - double that of the Adylkuzz mining botnet. Researchers at Proofpoint say the botnet was made up of 526,000 nodes at its peak - and despite efforts to take it down, the botnet is particularly resilient and keeps regenerating itself and therefore remains a powerful Monero mining tool for its operators.
Such is the power of the Smominru, its operators have mined 8,900 Monero, which is currently balued between $2.8M million and $3.6 million, with around 24 Monero (around $8,500) currently added each day. Part of Smominru's power lies in the types of machines it takes control of, with a large proportion of the nodes in the network consisting of Windows servers.
What makes the servers such an appealing target for cryptocurrency miners is that their processing power and because unlike a desktop computer - which regularly gets turned off, and therefore prevented from mining - the servers are always on, providing a continuous, lucrative stream of Monero.
Meanwhile, organisations might remain unaware that their servers have become part of the Smominru botnet, despite the mining botnet potentially causing performance levels to drop and raising the costs of energy use by servers which are suddenly operating far closer to capacity.
Researchers note that at least 25 of the infected hosts have been seen conducting additional attacks via EternalBlue, using its worm-like features to infect new nodes and increase the size of the botnet by attacking vulnerable machines with publically available IP addresses.
Attacks have also been taking place via EsteemAudit, an exploit that leverages vulnerabilities in RDP on Windows Server 2003 and Windows XP. While efforts have been made to shut down the botnet - cybersecurity personnel have managed to take down about a third of Smominru with sinkhole operations and banning IP addresses - its operators have been able to recover.
It's the use of EternalBlue which helps the attackers regenerate their network so quickly - and could potentially allow it to grow to incorporate a larger network of devices than its current half a million.
The highest number of infected systems in Russia, India and Taiwan. It's unlikely the attackers have targeted these countries specifically, but rather they simply represent areas of the globe where patching systems against the EternalBlue exploit has been lax.
"Robust patching regimens remain the best defense against EternalBlue. While we expect the number of vulnerable machines to decrease over time, obviously there are still many unpatched machines worldwide with SMB accessible by public IP," Kevin Epstein, Vice President for Threat Operations at Proofpoint told.
Cyber criminals appear to be increasingly turning their attention to cryptocurrency miners as a means of easily making money. While bitcoin remains the most popular form of crytpocurrency, many cyber criminals are turning towards alternatives like Monero for reasons ranging from increased privacy to being able to cash it out more quickly.
110 Reykjavik, Iceland