Cryptomining Malware Using NSA Hacking Code is Spreading Rapidly
August 26, 2019
The combination of an anonymous currency and leaked government security exploits have led to a rising new threat for system administrators. While cybercriminals have long featured an assortment of ideologically driven activists or rising stars hoping to make a name for themselves with their peers, the vast majority of them are motivated by money. In defending against their activities we usually think of their target as being data, and certainly this still presents the most damaging and lucrative target for any company. With the rise of Bitcoin, however, a new revenue generator has presented itself, your processing power.
Bitcoin is an alternative currency known for its anonymous nature. It uses a cryptographic technology called a blockchain. This blockchain acts as a public ledger to track how the coins change hands, but adding to the ledger is computationally expensive. Bitcoin uses a system where they crowdsource additions to the public ledger by having people perform the computations on their local system in exchange for a small number of coins as a reward. Bitcoins themselves have only the worth the public attributes to them, as they are not backed by any government. Because they are given sparingly and only to those who perform significant computational operations, they have maintained a money-like property, although their actual value has been subject to wild swings. If the people adding to the public ledger were to stop, the entire system would collapse. It is, therefore, necessary to provide enough new coins to keep the community incentivized. This has been predetermined by an algorithm. For these Bitcoin “miners” there has been significant effort to produce an ideal hardware configuration that balances the cost of equipment and importantly, cost of electricity, such that mining is profitable.
For cybercriminals, all that value needs only a shortcut to funnel the money into their own pockets, the unlimited supply of processors and electricity owned by other people, especially data centers. For years malware has targeted hapless computers to leach resources and mine bitcoin on behalf of others. Sometimes this can even be a threat from internal employees using corporate assets. The techniques can be sophisticated, sometimes involving software only resident in memory. Successful criminals are those who learn that the parasite must not kill the host. They balance the performance degradation to reasonable limits to remain undetected as long as possible. Too many, it seems a victimless crime. Most who discover the mining programs simply remove them and move on with no negative consequences to the perpetrators. Since no data is stolen, laws involving the disclosure and punishing intruders for theft are less effective and damages are harder to demonstrate.
Still, with the lucrative opportunity, the fundamental problem remains: How to get the software on the system? While many techniques have been used in the past, a recent development proved a game-changer.
A group called the Shadow Brokers compromised the Equation Group, a hacking division of the NSA, and revealed some exploits discovered by NSA to the public, holding back what they claimed were the best files to be sold to anyone willing to meet their price, in Bitcoin of course. Through a long series of Medium posts and Wikileaks activity, the exploits have trickled out to the public. Two exploits, EternalBlue and DoublePulsar, would be particularly devastating and form the foundation of the ransomware WannaCry. These exploits are now making a return performance in the form of new malware, Beapy.
Beapy is delivered usually as an email attachment with an infected Excel file. This file installs the DoublePulsar backdoor and then uses EternalBlue to spread laterally using an exploit in the Windows SMB Protocol. According to TechCrunch Symantec confirmed over 12,000 infections across 732 companies in March. The numbers are expected to only have gotten worse since then as over a million systems remain vulnerable.
What defense can be used against such a threat? Admittedly some of the traditional defenses which might focus on data being accessed in an unauthorized way and leaving the organization may not be effective in this case. Instead sophisticated monitoring of system performance may catch the increased workload on the processor. Careful monitoring of newly opened ports, newly running services, and new data flows would reveal both the DoublePulsar backdoor and the EternalBlue lateral attacks. Threat intelligence will aid in discovering communications with known hostile endpoints on the web. Ultimately, the best defense comes in the form of visibility into the cloud and multi-cloud environments; to this end, vulnerability scanning, patching, and anti-malware defenses should not be neglected on any system. Lacework provides this type of defensive coverage and can work in concert with your other security controls to prevent or detect this threat and allow you to take action to ensure data and cloud assets are not stolen or misused.