Researchers have discovered a spike in Beapy, a variant of malware that is using leaked National Security Agency (NSA) exploits to spread across corporate networks and force computers to run its cryptocurrency mining capabilities. The malware was first discovered in January and it has currently infected 12,000 devices across 732 organisations.
Beapy relies on an employee opening a malicious email that will therefore allow the malware to create a persistent backdoor on the computer, it then uses the NSA’s EternalBlue exploit to spread laterally throughout the network; very similar to how WannaCry spread in 2017. Beapy also boasts open-source credential stealing capabilities in order to collect and use passwords from infected devices to aid in its spread throughout an enterprise’s network.
Using the leaked NSA RCE exploits doublepulsar and eternalblue to
execute arbitrary code if the phishing attempt was successful compromised machines and made way for the extraction of credentials using mimikatz. #beapy #malware https://t.co/jvtIcN61sw— RegistryD0g (@D0gRegistry) April 28, 2019
Thousands of firms hit by Beapy malware using NSA hacking tools see https://t.co/MzYVqyXgO9 pic.twitter.com/jkng52LSZT
— Marco Borger (@MarcoBorger1) April 28, 2019
Experts Comments:
Barry Shteiman, VP of Research and Innovation at Exabeam:
“Crypto-mining operations could be running within your organisation’s network – draining vast amounts of energy – without your knowledge. IT teams need to be vigilant. The best thing to do is look for anomalies in your electricity bill. You should also measure changes in your HVAC usage for heat dissipation, although this will be more difficult. Beyond that, look for sudden changes in capacity or usage, as well as significant deviations in pattern and velocity. The best approach to detecting irregular network behaviour is using an emerging technology called entity analytics. This automates detection by baselining normal machine behaviour and highlighting the anomalies. Deviation from these benchmarks may be an indicator of capacity abuse, and will the best marker of malicious cryptomining activity on your network.”
Anurag Kahol, CTO at Bitglass:
“Cryptojacking attacks took the world by storm in 2018, much to the dismay of businesses and security experts. The stealthy nature that cryptojacking malware boasts over other types of threats makes it extremely lucrative for malicious actors. Beapy is particularly effective for hackers because it targets corporations and leverages NSA technology to spread throughout employees’ devices and perform large-scale, clandestine cryptojacking. This practice mines cryptocurrency at an extremely accelerated rate and wastes enterprises’ processing and storage power, costing thousands of additional dollars in electricity bills; additionally, organisations may face other costs stemming from the repair or replacement of degraded computers.
“To protect against cryptojacking, organisations must be able to recognise the signs of an attack and understand how to respond before it is too late. Educating employees on how to identify attacks and avoid phishing schemes (which is how Beapy is spread) is a basic yet crucial piece of the puzzle. Businesses must also require employees to use complex passwords, leverage multi-factor authentication (MFA), promptly install security patches and software updates, deploy ad-blocking extensions, and adopt mobile data security solutions that can defend any endpoint without causing privacy concerns or hindering device performance. Anti-malware solutions must be able to detect infected files in real time as they are downloaded to any device, uploaded to any application, or at rest within the cloud.
“As evidenced with Beapy, hackers are always devising new tactics and leveraging new tools in order to attack companies and make money through nefarious means. Fortunately, the above tips can help any business to stay secure against cryptojacking as well as other types of cyberattacks.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.