Hackers running sophisticated cryptocurrency mining operation using NSA exploits

Hackers running sophisticated cryptocurrency mining operation using NSA exploits

Cryptojacking incidents in the UK rose by 1,200% in last few months

Researchers have discovered a new 'multi-staged attack' campaign dubbed Zealot which hackers are running  to mine cryptocurrency by leveraging known NSA exploits like EternalBlue and EternalSynergy.

Hackers behind the latest cryptocurrency mining operation are targeting Windows and Linux systems using NSA exploits to mine Monero, a popular cryptocurrency.

The recent surge in the value of Bitcoin, as well as other kinds of cryptocurrency, has led to a rise in cyber-attacks on cryptocurrency exchanges and marketplaces. While security researchers have already observed DDoS attacks, spearphishing attacks, and frontal cyber-attacks conducted by hackers so far, researchers at F5 Networks have also detected a new cryptocurrency mining operation which leverages known NSA exploits like EternalBlue and EternalSynergy.

Dubbed Zealot, the latest hack has been described by researchers as 'a sophisticated, highly obfuscated and multi-staged attack' that targets internal systems running Windows and Linux operating systems. Using exploits like EternalBlue and EternalSynergy, hackers have also been able to ensure lateral movement inside of networks.

The overall objective of hackers behind the operation is to gain access to Monero, a cryptocurrency which, researchers at F5 Networks say, is increasing in popularity among cyber-criminals. While various Windows and Linux-based servers may have been affected, the hackers have not targeted Macs so far.

According to the researchers, while known NSA exploits have been leveraged in previous malware campaigns like NotPetya and WannaCry ransomware, Zealot is the first Struts campaign using the NSA exploits to propagate inside internal networks.

The multi-stage attack has a 'highly obfuscated PowerShell agent for Windows and a Python agent for Linux/OS X' and also exploits servers that are vulnerable to CVE-2017-5638 (Apache Struts Jakarta Multipart Parser attack) and CVE-2017-9822 (DotNetNuke (DNN) content management system vulnerability).

'The Zealot campaign seems to be opening new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities. The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,' they noted.

Bob Rudis, Chief Data Scientist at Rapid7, says that organisations need to scan for systems in their internal networks that are vulnerable to CVE-2017-5638 and CVE-2017-9822 and should patch them immediately to ensure they are not affected by the latest cryptocurrency mining operation. At the same time, they should also isolate systems that cannot be patched from their networks to ensure that the malware payload doesn't spread to other systems.

'There is a 100% guarantee that attackers will be crafting similar exploits and performing these types of campaigns in the future. Attackers know that organisations are not able to patch systems quickly and have a large cache of exploits like these at their disposal.

'It is imperative that organisations use network- and system-level mitigations for vulnerable systems that cannot be patched quickly in order to avoid succumbing to similar-style attacks in the future,' he adds.

Copyright Lyonsdown Limited 2021

Top Articles

It’s time to upgrade the supply chain attack rule book

How can infosec professionals critically reassess how they detect and quickly prevent inevitable supply chain attacks?

Driving eCommerce growth across Africa

Fraud prevention company Forter has partnered with payments technology provider Flutterwave to drive eCommerce growth across Africa and beyond.

Over 500,000 Huawei phones found infected with Joker malware

The Joker malware infiltrated over 500,000 Huawei phones via ten apps using which the malware communicates with a command and control server.

Related Articles