Week 32, 2019

Blockchain Village | Binance | Coinbase | APT41

For those of you still recovering from BlackHat/Defcon conferences, I am happy to report that the Blockchain Security village was a real success! Featuring about two dozen high quality talks and two competitions running in parallel it felt like a conference within a conference. Watch out for Defcon releasing conference recordings in the next few weeks to check out some of the talks. There are also a number of security talks coming up during the upcoming Berlin’s blockchain week covered below.

In other news, Binance was a hot topic with an extortion attempt and a cache of leaked KYC data, U.N. report on North Korea raising funds through hacking every cryptocurrency exchange and bank it can get to, an excellent APT 41 report on a Chinese nation-state actor targeting cryptocurrency industry when it’s not busy running espionage operations, and plenty of new malware to watch out for.

News:

Events:

  • Web3 Summit 2019 - a security node during the Web3 summit on August 19-21 will include workshops on everything Ethereum security from Solidified, MythX, Zeppelin, and others.

  • #blockchainhackers vol.3 - a security meetup on August 22nd during Berlin blockchain week which will include speakers from ConsenSys, Hacken, ChainSecurity, SmartDec, and others.

  • Capture the Coin - a month long CTF competition has kicked off during the Blockchain Village at Defcon and will continue until September 9th. The competition includes a number of blocksec related challenges such as smart contract exploitation, cryptography puzzles, blockchain investigations, wallet malware, and others. A number of my coworkers at Coinbase and myself have put together this competition and hope you will enjoy playing it.

  • Chain Heist - an excellent CTF-style competition which includes a number of vulnerable Ethereum smart contracts covering a wide-range of security issues. The main event is over where I had a privilege to compete and win the main prize; however, all of the challenges are still up and you can play them today.

Research:

  • Binance Hack 2019 – A Deep Dive Into Money Laundering And Mixing - a research article investigating the recent surge in activity of a crypto mixing service - Chipmixer. The article links the activity to BTC stolen from Binance and BitPoint exchanges.

  • ShapeShift Security Update - an in-depth discussion of a recently reported side channel attack against ShapeShift (and other hardware wallets).

  • Litecoin Dusting Attack - a notification and a linked research article by Binance into the ongoing dusting attack on the Litecoin network.

  • Bitcoin vaults with anti-theft recovery/clawback mechanisms - a soft fork proposal to create a delay period where a wallet owner could observe and response to funds theft.

  • Double Dragon - APT 41, a dual espionage and cyber crime operation - a detailed report by FireEye into a state-sponsored actor conducting a number of financially motivated intrusions in addition to espionage and surveillance operations. Group’s focus on virtual currency targets including in-game currencies, cryptocurrencies, and related services are of particular interest to the readers. The report provides detailed view of group’s malware capabilities, initial compromise and further exploitation techniques. In at least one instance the group attempted to install ransomware and in another deployed XMRig miner.

    Indicators:

    Domains:
    agegamepay[.]com
    ageofwuxia[.]com
    ageofwuxia[.]info
    ageofwuxia[.]net
    ageofwuxia[.]org
    bugcheck.xigncodeservice[.]com
    byeserver[.]com
    dnsgogle[.]com
    gamewushu[.]com
    gxxservice[.]com
    ibmupdate[.]com
    infestexe[.]com
    kasparsky[.]net
    linux-update[.]net
    macfee[.]ga
    micros0ff[.]com
    micros0tf[.]com
    notped[.]com
    operatingbox[.]com
    paniesx[.]com
    serverbye[.]com
    sexyjapan.ddns[.]info
    symanteclabs[.]com
    techniciantext[.]com
    win7update[.]net
    xigncodeservice[.]com

    URLs:
    https://docs.google[.]com/document/d/1lCySd5ZNGj9Jz8pigZsuv8lciusYKqOqORpe2EOzgmU
    https://docs.google[.]com/document/d/1KJ_RJRtkKhcuJjXOCKtEOLuwH3sRi72PUhtfukncyRc
    https://docs.google[.]com/document/d/1TkTC3fHUvEBsBurZIGw7Kf5YsPjblpahlFksRDCuTo
    https://docs.google[.]com/document/d/1iQwnF3ibWPZ6-95VHrRAPrL6u_UT_K7X-rQrB7xt95k
    https://steamcommunity[.]com/id/119887132
    https://steamcommunity[.]com/id/869406565
    https://steamcommunity[.]com/id/oswal053

    Email Addresses:
    akbklxp@126[.]com
    akbklxp@163[.]com
    hackershby@126[.]com
    hrsimon59@gmail[.]com
    injuriesa@126[.]com
    injuriesa@163[.]com
    injuriesa@gmail[.]com
    injuriesa@hotmail[.]com
    injuriesa@qq[.]com
    kbklxp@126[.]com
    petervc1983@gmail[.]com
    ravinder10@126[.]com
    ravinder10@hotmail[.]com
    ravinder10@sohu[.]com
    wolf_zhi@yahoo[.]com

  • 246 Findings From our Smart Contract Audits: An Executive Summary - a details statistical analysis of vulnerability classes discovered as part of 23 security audits with a total of 246 security findings. Data validation and access control flaws were the most common findings constituting 36% and 10% of total findings respectively. The report also points out that almost 49% of the findings are unlikely to be discovered with static or dynamic analysis tools and require a human auditor to detect.

  • The Elliptic Data Set: opening up machine learning on the blockchain - background information on the recently released bitcoin transaction data set.

  • Bitcoin Security under Temporary Dishonest Majority - a research study which examines several scenarios where a dishonest majority temporarily takes over the Bitcoin network.

Malware:

  • Access Mining - How a Prominent Cryptomining Botnet is Paving the Way for a Lucrative and Illicit Revenue Model - a Carbon Black detailed report on a Smominru cryptominer which now started to exfiltrate data and provide remote access. The campaign has links Smominru to a separate MyKings botnet and a marketplace which sells access to infected hosts.

  • Clipsa – Multipurpose password stealer - an Avast Antivirus report on a Visual Basic malware sample capable of steal cryptocurrency wallets, brute-forcing Wordpress credentials, silently changing cryptocurrency addresses in clipboard, and installing XMRig miner.

    Indicators:

    Network Indicators:
    http[:]//besttipsfor[.]com
    http[:]//chila[.]store
    http[:]//globaleventscrc[.]com
    http[:]//ionix.co[.]id
    http[:]//mahmya[.]com
    http[:]//mohanchandran[.]com
    http[:]//mutolarahsap[.]com
    http[:]//northkabbadi[.]com
    http[:]//poly.ufxtools[.]com
    http[:]//raiz[.]ec
    http[:]//rhsgroup[.]ma
    http[:]//robinhurtnamibia[.]com
    http[:]//sloneczna10tka[.]pl
    http[:]//stepinwatchcenter[.]se
    http[:]//topfinsignals[.]com
    http[:]//tripindiabycar[.]com
    http[:]//videotroisquart[.]net
    http[:]//wbbministries[.]org

    BTC Addresses (Clipboard replacement):
    https://github.com/avast/ioc/blob/master/Clipsa/appendix_files/btc_addresses_complete.txt

    ETH Address (Clipboard replacement):
    0x4966DB520B0680fC19df5d7774cA96F42E6aBD4F

  • Saefko: A new multi-layered RAT - a Zscaler report into a new .NET malware with remote execute, keylogging, connection proxying, and data stealing capabilities. The malware is interesting because it specifically targets machines with evidence of user visiting major cryptocurrency company websites including Coinbase, Kraken, Shapeshift, Bitfinex, and others.

    Indicators:

    Md5:

    D9B0ECCCA3AF50E9309489848EB59924
    C4825334DA8AA7EA9E81B6CE18F9C15F
    952572F16A955745A50AAF703C30437C
    4F2607FAEC3CB30DC8C476C7029F9046
    7CCCB06681E7D62B2315761DBE3C81F9
    5B516EAB606DC3CC35B0494643129058

    Downloader URL:
    industry.aeconex[.]com/receipt-inv.zip
    3.121.182[.]157/dwd/explorer.exe
    3.121.182[.]157/dwd/vmp.exe
    deqwrqwer.kl[.]com.ua/ex/explorer.exe
    maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip

    Network URL:
    acpananma[.]com/love/server.php
    3.121.182[.]157/smth/server.php
    f0278951.xsph[.]ru/server.php
    maprivate[.]date/server.php

Media:

Tools:

That’s all for this busy week in blockchain threat intelligence. Stay safe and see you next week?

Loading more posts…