A newly-discovered cryptojacking campaign uses familiar exploits to target enterprises and traverse network shares, infecting any connected computer.
Despite the closure of cryptojacking attack facilitator CoinHive and decreases in cryptocurrency valuation, cybercriminals are still focusing on cryptojacking attacks against enterprises, according to a Symantec report published Thursday. Beapy, a file-based coinminer, was first discovered in January 2019, with attacks accelerating since March. Enterprises comprise 98% of Beapy's victims, with organizations in Asia the most common targets--more than 80% of victims are located in China, with South Korea, Japan, and Vietnam comprising most of the rest of the targets.
This may be, in part, due to the exploit used to infect systems. The EternalBlue and DoublePulsar exploits were released publicly by an organization called The Shadow Brokers in April 2017, but were originally developed by the NSA Office of Tailored Access Operations and CIA Information Operations Center. EternalBlue has been used to great effect by the Lazarus Group, a North Korean state-sponsored actor, responsible for the WannaCry attacks and the 2014 Sony Pictures hack.
SEE: Cryptocurrency: An insider's guide (free PDF) (TechRepublic)
The attack utilizes a maliciously-crafted Excel document delivered as an email attachment, which downloads the DoublePulsar backdoor onto the system, and spreads to other systems on the network using EternalBlue.
According to the report, "EternalBlue isn't Beapy's only propagation technique, and it also uses the credential-stealing tool Hacktool.Mimikatz to attempt to collect credentials from infected computers. It can use those to spread to even patched machines on the network. Beapy also uses a hardcoded list of usernames and passwords to attempt to spread across networks," similar to how Bluwimps, a worm that infected thousands of enterprise machines in 2017-2018 with file-based coinminers, operated.
Beapy has also been found to exploit vulnerabilities in Apache Struts, Apache Tomcat, and Oracle WebLogic Server.
Cryptojacking negatively impacts the performance of workstations and mobile devices, as compute time is dedicated to mining activity rather than intended functions. Cryptojacking attacks have caused phones to overheat, causing physical damage.
For more, learn why cryptojacking will become an even larger problem in 2019, how a new detection method identifies cryptomining and other fileless malware attacks, and how IT rights can be abused for shadow mining of cryptocurrency.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- 10 dangerous app vulnerabilities to watch out for (TechRepublic download)
- Information security policy (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)