Attackers disrupt business operations through stealthy crypto mining

WannaMine, a Monero-mining worm discovered last October, is increasingly wreaking havoc on corporate computers.

Either by slowing down computers or by crashing systems and applications, the crypto mining worm is, according to CrowdStrike researchers, seriously affecting business operations and rendering some companies unable to operate for days and even weeks.

In one case, a client informed CrowdStrike that nearly 100 percent of its environment was rendered unusable due to overutilization of systems’ CPUs.

As time passes and criminals’ covetousness for cryptocurrencies and “free” mining resources rises, enterprises will have to find a way to keep their systems secure against progressively sophisticated tactics.

A fileless attack

The initial infection vector is not mentioned, but it’s likely that the patient zero in the network has been tricked into running a file hiding an exploit.

What is known is that the threat spreads through corporate networks by leveraging Mimikatz to harvest legitimate credentials and then using them.

If that particular approach fails, it attempts to exploit the remote system with the EternalBlue exploit used by WannaCry in early 2017.

WannaMine uses Windows Management Instrumentation (WMI) permanent event subscriptions to ensure persistence on a system, and its repository to store code for execution.

“Its fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without some form of next-generation antivirus,” CrowdStrike researchers pointed out. Endpoint solutions that can detect and block malicious scripts and processes that fuel the mining are a better solution in this case.