The Problem
Wannamine is affecting State and Local governments here is the US. Wannamine is fileless malware that is used to mine Monero. This article also applies to anyone that wants to protect their systems from Wannamine.
Wannamine takes for the RAM and CPU of the affected system affecting the performance of the infected computer. It enters the system via a basic phish where the user clicks on a malicious link. It spreads throughout the network primarily by using Mimikatz which uses PowerShell, PSExec, and Windows Management Instrumentation to try and capture the user's, and other credentials. Mimikatz attempts to extract passwords and hashes of authenticated users stored in the Local Security Subsystem Service system process (LSASS.EXE). These stolen credentials are base64 encoded and sent outbound over port 8000 to command and control (C2) servers. A secondary means of attack is to use the EternalBlue security exploit used in Wannacry.
Wannamine is a problem for the Government computers due to the fact that Government has grown over the years, but the budgets to support the growth have not due to the factors such as rising wages and lower taxes. The other problem Governments face it that is not a "hot bed" for IT talent. This means that the computer systems are generally older and not well patched, thus making their systems more vulnerable to attack.
What can be done?
Some of the things that can be done:
- Get a good malware program like Malwarebytes and keep it up to date
- Apply Microsoft patch the MS17-010
- Block traffic to TCP and UDP ports 3333, 5555, 7777, 8000, and 14444 at your demarcation point unless absolutely necessary
- Disable SMBv1 on all systems and utilize SMBv2 or SMBv3
- Implement Group Policy (GPO) to prevent the scripted execution of Sysinternals Suite tools, such as PSExec;
- Implement the Credential Guard feature in Windows products to guard against the extraction of credentials stored in LSASS.EXE
- Monitor the RAM and CPU usage on your computer
If you have any other suggestions on protecting against Wannamine please post in the comments below