Beapy Cryptojacking Campaign Uses EternalBlue to Exploit Enterprises

The same core vulnerability that enabled the WannaCry ransomware attack in 2017 is still being used by attackers looking to exploit vulnerable systems, according to Symantec.

1088_UnauthorizedCryptocurrency

Symantec reported on April 25 that an unknown group of attackers is making use of the same EternalBlue vulnerability that enabled the WannaCry ransomware attack to conduct cryptojacking attacks on enterprises.

The attack has been dubbed "Beapy" by Symantec and apparently has been ongoing since January 2019. According to Symantec's report, Beapy is a cryptojacking worm that initially infects systems via a phishing attack. If the attacked system has not been patched for the EternalBlue vulnerability, Beapy is then able to spread across an enterprise's network, infecting other systems and using them to mine cryptocurrency.

"Multiple nefarious groups have leveraged EternalBlue since it was leaked in April 2017 and have incorporated them into a myriad of threats," Alan Neville, threat intelligence analyst for Symantec, told eWEEK.

The EternalBlue vulnerability is a flaw in Windows that was patched by Microsoft with its MS17-010 advisory in March 2017. A month later in April 2017, working code for an EternalBlue exploit flaw was publicly revealed by a group known as the Shadow Brokers. EternalBlue is also the flaw that enabled the WannaCry ransomware attack in May 2017 to spread rapidly.

Although the EternalBlue flaw was patched by Microsoft in 2017, there are still plenty of systems that apparently have not deployed the patch. The Beapy attack makes use of EternalBlue to get a foothold in a network, but rather than deploy ransomware like WannaCry, Beapy deploys a cryptocurrency mining tool. The activity of conducting unauthorized cryptocurrency mining on a system is commonly known as cryptojacking, 

Cryptojacking in 2019

The Beapy campaign comes at a time when cryptojacking is in a state of decline.

The value of cryptocurrencies has fallen precipitously in recent months and along with that has followed an overall decline in cryptojacking. Symantec reported in its Internet Security Threat Report (ISTR) released on Feb. 19 that there was a 52% drop in the overall number of cryptojacking events between January and December 2018 as the value of the Monero cryptocurrency declined by 90%.

Beapy makes use of a file-based miner, which is an executable program that conducts the mining directly on the system.

"The use of file-based coinminers allows the cyber-criminals to mine cryptocurrency faster, and thus make money faster, which is appealing now that cryptocurrency values are significantly lower than where they were at their peak," Neville said. "While we have not expanded the investigation to determine the potential amount attackers have made through Beapy alone, a 30-day file-based mining generates an average profit per machine of 25 cents."

Neville added that with a botnet comprising 100,000 machines, a file-based mining operation could generate up to $750,000 in profit. 

How Beapy Works

Beapy is mining the Monero cryptocurrency and, according to Symantec, it is making use of the open-source XMRig mining code. The Beapy attack is also not entirely random, with 98% of Beapy’s victims identified by Symantec as being enterprises, rather than individual consumers.

Cryptocurrency mining is a very CPU-intensive process and often benefits from the use of GPU acceleration, thought that's not something Beapy is specifically targeting. Neville commented that nothing specific was identified during analysis related to code that directs Beapy to look for systems with GPUs in order to mine cryptocurrency faster.

For Beapy to work effectively, the target system needs to be unpatched for EternalBlue, though Neville noted that it might still be able to propagate across a network where systems have in fact been patched.

"If the system has been patched, EternalBlue won’t be an effective means to gain access to a system on the network," he said. "However, Beapy also makes use of embedded credential modules such as Mimikatz in order to dump network credentials and use these to spread across networks."

Defending Against Beapy

For organizations, there are a few basic hygiene steps that Neville recommends to help defend against Beapy and other similar risks:

  • Deploy the appropriate patches from Microsoft to stop EternalBlue.
  • Ensure that all employees have appropriate training to recognize and report phishing attacks that are used to deliver malicious files such as Beapy. 

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.