New Crypto Mining Malware Beapy Uses Leaked NSA Hacking Tools: Symantec Research (#GotBitcoin?)
American software security firm Symantec found a spike in a new crypto mining malware that mainly targets enterprises, TechCrunch reports on April 25. New Crypto Mining Malware Beapy Uses Leaked NSA Hacking Tools: Symantec Research (#GotBitcoin?)
So, the NSA is actually spreading or contributing to the exchange hacking, mining malware and overall cyber-crime sprees we’re facing. Hahahah, Monty
The new cryptojacking malware, dubbed Beapy, uses the leaked United States National Security Agency (NSA) hacking tools to spread throughout corporate networks to generate big sums of money from a large amount of computers, the report notes.
First spotted in January 2019, Beapy reportedly surged to over 12,000 unique infection across 732 organizations since March, with more than 80% of infections located in China.
As found by researchers, Beapy malware is reportedly spread through malicious emails. Once opened, malware drops the NSA-developed DoublePulsar malware and uses NSA’s EternalBlue exploit, the same exploits that helped spread the WannaCry ransomware in 2017. According to the report, Beapy also uses Mimikatz, an open-source credential stealer, to collect and use passwords from infected computers to navigate its way across the network.
According to TechCrunch, cryptojacking has seen a decline in recent months, partially due to the recent shutdown of Coinhive, a popular web-based online mining tool. However, file-based cryptojacking such as Beapy is reportedly much more efficient and faster, which allows hackers to make more money.
As such, in a single month, file-based mining can generate up to $750,000, compared to just $30,000 from a browser-based mining activity, Symantec researchers said.
As recently reported, crypto mining is one of the most observed objectives of hackers attacking businesses’ cloud infrastructures, with organizations of all sizes continuing to face major crypto mining attacks despite the bear market.
Recently, a federal jury convicted two Romanian alleged cybercriminals for spreading malware to steal users credentials and illicitly mine cryptocurrency.
Leaked NSA Hacking Tools Find Their Way Onto The Dark Web
Underground hackers are now sharing, promoting and working to adopt executable computer code evident in NSA documents that were published last week by the Shadow Brokers, private sector intelligence analysts tell CyberScoop.
Tutorials on how to utilize some of the tools began appearing the same day the NSA documents were originally published, according to researchers at Israel-based dark web intelligence firm SenseCy. Forum members have shown a particular interest in a leaked framework similar to Metasploit that’s unique to the NSA called Fuzzbunch.
SenseCy, a firm focused on the dark web staffed by former intelligence officials, identified a series of conversations occurring in a hidden Russian cybercrime forum discussing how members could exploit a bug in Windows Server Message Block, a network file sharing protocol.
“Hackers [have] shared the leaked [NSA] information on various platforms, including explanations [for how to use the tools] published by Russian-language blogs,” said SenseCy Director Gilles Perez. “We identified [one] discussion dealing with the SMB exploit [ETERNALBLUE], where hackers expressed interest in its exploitation and share instruction on how to do so.”
Perez declined to name the dark web forums surveilled by SenseCy, but provided CyberScoop with screenshots of conversations between members discussing the matter in discussion boards — “We can never provide the names of the forums as that could jeopardize our operations,” he wrote in an email.
One of the powerful tools shared by the Shadow Brokers last week, and addressed by a March Microsoft security update, is codenamed ETERNALBLUE in the leaked documents — it is also referred to as vulnerability MS17-010 by Microsoft.
ETERNALBLUE allows for an attacker to remotely cause older versions of Windows to execute code.
Security researcher Matthew Hickey was able to show in a video that ETERNALBLUE is effective against machines running Windows Server 2008 R2 SP1, an old but popular version of Windows Server.
SenseCy researchers told CyberScoop they’ve already seen cybercriminals attempt to utilize the MS17-010 vulnerability in ransomeware-style attacks.
“We are now seeing a trend, that most likely will gain momentum in the following weeks, of infecting Windows servers with Ransomware utilizing the [NSA] leaked exploits,” Gilles said.
Researchers at cyber intelligence firm Recorded Future told CyberScoop that they too have spotted separate discussions in several Russian and Chinese hacker forums in which users successfully reversed engineered some of the Windows tools and were openly sharing their findings.
“The surprising recent release — one of the most comprehensive and up to date — of hacking tools and exploits by the notorious Shadow Brokers group stirred up great interest among Russian-speaking cyber criminals,” said Andrei Barysevich, Recorded Future’s director of advanced collection. “Only three days after the data was leaked, we identified a discussion among members of an elite dark web community sharing expertise in weaponizing the EternalBlue exploit as well as the DoublePulsar kernel payload.”
He added, “considering that Microsoft patched the EternalBlue vulnerability as recently as March 14, the number of potentially affected systems could still be tremendous.”
Recorded Future similarly declined to name the forums where they discovered this content.
“[In the Chinese forum], they were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE) and privilege escalation tool (ETERNALROMANCE),” members of Recorded Future’s research team wrote in an email. “Actors were focused on the unique trigger point for [ETERNALBLUE] and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.”
These discussions indicate that there’s broad interest in the unique malware triggers published by the Shadow Brokers and a belief that the underlying vulnerabilities being exploited had not been completely mitigated by Microsoft’s patches, according to Recorded Future. “These two factors combine to increase the risk that malicious Chinese actors may reuse or repurpose this malware in the future,” a spokesperson explained.
Most of the exploits and implants mentioned in the latest release are designed to exploit software vulnerabilities apparent in older Microsoft products, including Office and various operating systems. The technology giant stated in a blog post over the weekend that it had patched most of the exploits. Discontinued, end of life version of Windows, such as XP and 2003, remain vulnerable as they did not receive a security patch.
More than 65 percent of desktop computers connected to the internet last month ran on older versions of Windows like Vista, according to estimates from the tracking firm Net Market Share.
While many of the Microsoft Windows-specific exploits contain remote code execution vulnerabilities, they need to be deployed against a host in order to be successful. In other words, a connection to the organization must already be established for many of these exploits to work — as port 445, which is used in Microsoft’s SMB, is typically blocked internet-wide.
Microsoft declined to answer questions pertaining to how the company originally became aware of the aforementioned vulnerabilities, which were supposedly once exploited by the NSA.
Though it remains unclear whether anyone has been able to successfully leverage any of the leaked hacking tools to launch their own computer intrusion, security researchers fully expect and are preparing for a barrage of new attacks supported by NSA’s quality engineering.
“Even though the vulnerabilities released were patched, we feel confident that it will only be a matter of time before we see exploitation in the wild,” said Cylance Chief Research Officer Jon Miller. “The scale will be on par with any other known and patched vulnerability. Only those that aren’t judicious in patching their systems will be affected, mitigating the risk that comes from a true zero-day.”
Liam O’Murchu, the director of Symantec’s security technology and response group, said he expects it will take a “little longer” for attackers to begin incorporating the leaked tools into their own attacks.
“From a defensive perspective, one of the main problems is the volume of data released,” said O’Murchu. “We need to analyze all the files to understand how they could be changed or used to fit in with current cybercrime attacks … with ~7000 files disclosed, it is very resource intensive to understand all of the tools, the full capabilities and how they can be used. That is what we are working on now.”
A cohort of independent researchers and security firms are finding new capabilities and targeted software vulnerabilities hidden in the massive trove of documents on a near daily basis since Friday’s release.
“We have only begun to scratch the surface on these tools and now that they are out there it’s important we can analyze them to determine servers that are impacted as well as what steps can be taken to protect against them,” Hickey wrote in a blog post, Wednesday.
“The tools are released in binary format and as reverse engineering efforts are underway. We will likely discover more interesting features about the attacks,” wrote Hickey. “We are under no illusion that such a huge data trove will not be completely analyzed in its first few days of discovery and neither should you.”
Your Questions And Comments Are Greatly Appreciated.
Monty H. & Carolyn A.Go back