WannaMine Cryptocurrency Miner Propagates via EternalBlue Exploit

A cryptocurrency-mining malware, dubbed WannaMine after the infamous WannaCry  ransomware, is stealing organizations’ CPU power to mine Monero. The malware leverages the Mimikatz credential harvester to acquire legitimate credentials and move laterally within the network or, if it is unable to obtain credentials, it will use the EternalBlue exploit for lateral movement. WannaMine then uses Windows Management Instrumentation (WMI) permanent event subscriptions to maintain persistence. The malware’s fileless nature and use of the legitimate software WMI and PowerShell make it very difficult for organizations to block without a next-generation firewall. Once cryptocurrency-mining malware infiltrates a network, it uses infected systems’ CPU resources to mine cryptocurrency. While often a nuisance to end-users, cybersecurity firm CrowdStrike has observed cases in which unauthorized mining operations impacted organizations so severely that it rendered computers unusable and halted operations for days or weeks. The NJCCIC recommends all network and security administrators review the Panda Security and CrowdStrike reports for technical details on WannaMine; proactively block outbound connections to domains known for installing cryptocurrency miners; close all unused ports; block SMB traffic into and inside of the network, if possible; and ensure all hardware and software is up-to-date. We also recommend exercising caution when downloading software or installing browser extensions and closely monitoring system activity for spikes in CPU usage.