Thanks NSA! Surveillance Agency Exploit Increases Illegal Bitcoin Mining by 459%

The review points to a 629 percent increase in coin mining malware in the first quarter of 2018, with almost three million examples detected. Monero has been the primary target, accounting for 85 percent of all illegal crypto mining — Bitcoin accounted for a comparatively trifling eight percent of the illicit mining market, all other cryptocurrencies seven.

Only Way is Up

The report notes this increase is in a sense gravitational — by definition, anything with monetary value attracts criminal activity, and as cryptocurrency usage and value has grown, so has nefarious interest in the asset. Moreover, cryptocurrencies increasingly play a pivotal role in ‘dark web' markets for illicit goods such as drugs, weapons, purloined data and the like, due to the anonymity they theoretically provide.

While the report notes the majority of illicit mining cases are relatively unsophisticated, often leveraging spam email campaigns and phishing. However, in an ironic twist, the growth in illicit crypto mining has also been greatly facilitated by the leak of EternalBlue, a Microsoft Windows security vulnerability exploit originally developed by the NSA, in 2017.

The vulnerability exploits Microsoft Server Message Block 1.0, a network file sharing protocol, and allows applications on a computer to read and write to files and request services on the same network.

When the tool was leaked in 2017, hackers found a flaw of their own in the NSA software, allowing them to manipulate the power of other computers to mine cryptocurrency.

Tangled Up in Blue

The exploit became so widely used by hackers Microsoft was moved to issue a 'critical' security update, even extending to Windows XP operating systems, which the tech giant officially ceased supporting in 2014.

However, the company's efforts have done little to dent its prevalence in cyberattacks. Elements of the exploit have even been woven into two common Trojans — Retefe and TrickBot — used in various email phishing campaigns targeted at companies and individual users, allowing for the much more effective spread of viruses through computer networks. The malicious pair have been used to attack banks in Austria, Sweden, Switzerland, Japan and the UK.

EternalBlue was also fundamental to the notorious worldwide cyberattack ‘WannaCry' in May 2017, which targeted computers running Microsoft Windows by encrypting data and demanding ransom payments from users in the form of Bitcoin.-

In the wake of the attack, Microsoft strongly condemned the NSA, and governments more generally, for hoarding vulnerabilities, urging nation state actors to report vulnerabilities to vendors "rather than stockpile, sell, or exploit them".

"This attack provides yet another example of why stockpiling vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. The governments of the world should treat this attack as a wake-up call. They need to take a different approach, adhere in cyberspace to the same rules applied to weapons in the physical world [and] consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits," company President Brad Smith said.