Hackers are still using the highly classified hacking tools built by the National Security Agency (NSA) which were stolen two years ago.
According to security researchers at Symantec, there was a recent spike in a new malware called as Beapy, that makes use of the leaked hacking tools to spread across corporate networks to exploit computers into running mining code to generate cryptocurrency.
Beapy malware was first found in January but it was escalated to more than 12,000 unique infections across 732 organizations since March. This malware mainly targeted enterprises, host to large numbers of computers, as when infected with cryptocurrency mining malware, it could produce large amount of money.
When an infected email is opened by an employee in a company, the malware inserts the DoublePulsar malware developed by NSA to create a persistent backdoor on the infected computer. The NSA’s EternalBlue exploit is then used to spread laterally throughout the network. These were the same tools that had caused the spread of the WannaCry ransomware in 2017. When the computers on the network are backdoored, the Beapy malware is pulled from the hacker’s command and control server to infect each computer with the mining software.
Beapy not only uses the NSA’s exploits to spread, but also uses Mimikatz which is an open-source credential stealer, to collect and use passwords from infected computers to navigate its way across the network.
Researchers state that more than 80 percent of Beapy’s infections are in China.
Cryptojacking which is the term used to refer hijacking of computers to mine for cryptocurrency were not found largely in the recent months due to the shutdown of Coinhive, a popular mining tool. However, cryptojacking still remains a more stable source of revenue.
Last year, around 919,000 computers were vulnerable to EternalBlue attacks and most of them were hacked for mining cryptocurrency. Now the number has passed million.
Usually, cryptojackers exploit vulnerabilities in websites, which on opening a user’s browser makes use of the computer’s processing power to generate cryptocurrency. File-based cryptojacking are even more efficient and faster and helps to get more money. It is estimated that the file-based mining can generate up to $750,000 in a month as compared to $30,000 from a browser-based mining operation.
Even though cryptojacking does not involves stolen data or encrypted files, the mining campaigns slows down computers and cause device degradation.