There are money-saving advantages to running computers with older operating systems that aren’t carefully patched. But it may come at a price: being infected with malware that makes machines part of a global botnet for harvesting credentials and spreading cryptomining software.
That’s the takeaway from a report this week by security vendor Guardicore into what some researchers are calling the Smominru botnet. Guardicore estimates in August alone August, Smominru infected 90,000 machines around the world, with an infection rate of 4,700 machines per day.
After breaking into one of about 20 attack servers behind the botnet, Guardicore concluded the attack compromises Windows machines using a stolen exploit apparently created by the U.S. National Security Agency called EternalBlue, as well as by brute-forcing several Windows services with weak passwords. Then it spreads laterally, stealing victim credentials, installs a Trojan module and a cryptominer and propagates inside the network.
The EternalBlue exploit works on older versions of Windows such as Win7 and XP on desktops, and WinServer 2003, 2008 and 2012. Microsoft released patches for the EternalBlue vulnerability in March 2017. However, unpatched — or poorly-patched — computers and servers continue to be victimized.
Not surprisingly, says Guardicore, Windows 7 and Windows Server 2008 are the most infected operating systems, representing 85 percent of all infections. These are Windows versions for which there is an operational EternalBlue exploit available on the internet. Other victim operating systems include Windows Server 2012, Windows XP and Windows Server 2003. These are either systems which have been out of support for many years, or about to be end of life.
“Among other things, we found that many machines were reinfected even after removing Smominru. This suggests that these systems remain unpatched, and therefore vulnerable to this botnet or other similar attackers. Since patching is often complicated in large data centers, it is highly important to use additional security controls, such as applying network segmentation and minimizing the number of internet-facing servers,” the report says.
The compromised attack server allowed Guardicore to see some of the infected machines. (The company has tried to notifiy victims where they could be identified). Among the things it gleaned is that infected machines are primarily small servers, with 1-4 CPU cores. However, more than 200 victim machines had more than 8 cores. One such machine was running on a 32-core server. To the report authors this suggests that while many companies spend money on expensive hardware, they aren’t taking basic security measures, such as patching their running operating system.
The report takes a detailed look at the botnet’s attack flow, which includes downloading a worm (u.exe / ups.exe) for spreading the malware laterally, a Trojan (upsupx.exe) for command and control, screenshot capturing information stealing and installing a Monero cryptominer, and an MBR rootkit (max.exe / ok.exe). In its current iteration, Smominru downloads and runs almost twenty distinct scripts and binary payloads.
Guardicore believes most of the attack servers are hosted by ISPs in the U.S., with some hosted in Malaysia and Bulgaria. “Many hosting companies proactively detect and block malicious activity coming from their networks,” says the report, which goes on to question why some U.S. providers can’t do the same.