Week 28, 2019

Bitpoint | AlphaPoint | 0x | Ransomware

A number of exchange compromises and critical vulnerabilities were reported in the cryptocurrency ecosystem. Bitpoint suffered a $32 million loss and up to 100 exchanges using AlphaPoint, an exchange platform provider, may have been affected as a result of the hack. A significant vulnerability was reported in 0x prompting the exchange shutdown A Cosmos slashing bypass bug triggered an emergency patch.

News:

Hacks:

  • Bitpoint cryptocurrency exchange hacked for $32 million - On July 11, 2019 Bitpoint, a cryptocurrency exchange in Japan, has suffered a breach resulting in the loss of 1225 BTC, 1985 BCH, 11169 ETH, 5108 LTC, and 28106343 XRP. The exchange has published the first report of the breach in under 24 hours and continued releasing a series of reports which included a detailed incident timeline and investigation steps taken. It was interesting to note the role of Japan’s Financial Service Agency (FSA) to ensure timely communication of the compromise with the public.

  • MyDashWallet was compromised for 2 MONTHS - a supply chain attack was reported on the Dash forum which suggested the popular online wallet software was collecting users’ private keys through a backdoored 3rd party library - GreasyFork. According to the blog post, the library was added back in April 2018 and the private key stealing code added between May 13th and July 12th.

    Indicators: https://api[.]dashcoinanalytics[.]com/stats.php

  • Up to 100 crypto exchanges worldwide could be affected - a number of exchanges around the world may have lost funds after AlphaPoint, a New York based white label provider of cryptocurrency exchange services, was compromised with a spear-phishing and sim-swapping campaigns. Bitcoins Norway, Foxbit, Coinext, FlowBTC, Casa do Bitcoin, and other exchanges were among those affected.

  • Monroe College Hit With Ransomware, $2 Million Demanded - yet another ransomware attack was reported on Wednesday, July 10th asking with a ransom of 170 BTC ($2 million).

Phishing:

Vulnerabilities:

  • The 0x vulnerability, explained - on July 12th, 2019 a critical bug in signature verification caused 0x to shut down the v2 exchange. The vulnerable function accepted a magic value 0x04 as a valid signature for non smart contract accounts. According to the postmortem, there was no evidence that the vulnerability was exploited and the 0x Core Team has patched the vulnerability in the span of a couple of hours.

  • CosmosSDK Security Advisory 05-30-2019 - a high severity vulnerability in the staking module was patched on the Cosmos network which allowed malicious actors to bypass token slashing for bad behavior. The bug was actively exploited on the network. A patch and an advisory were released within two days after the team learned of the vulnerability.

Be safe and see you all next week for another issue of Blockchain Threat Intelligence newsletter.

Week 27, 2019

Trezor | Monero | Defcon | Breaking Bitcoin

Another quiet week with just a couple of news on critical vulnerabilities in Trezor hardware wallets and Monero. If you are planning to go to Defcon this year, stop by the Blockchain Village for plenty of talks on the blockchain security topics.

Bugs:

Events:

  • Defcon 27 - Blockchain Village - CFP was announced for the upcoming blockchain village with the theme “Blockchain for Security” and “Security for Blockchain”.

  • Breaking Bitcoin Training - additional training videos were released from the blockchain security conference last month.

This wraps it up for the quick update in the world of blockchain threat intelligence.

Week 26, 2019

Bitrue | Europol | Bitfinex | EVulHunter

Several arrests were reported this week in UK, Netherlands, and Israel, $4.5 million in crypto assets were stolen from a major exchange in Singapore, and another Florida city settled a ransomware demand to get their computers back online. The increased number of ransomware attacks and folks choosing to pay off attackers appears to be a new trend for this month.

News:

Hacks:

Tools:

  • EVulHunter - a new static analysis tool for EOS smart contracts was just released along with a paper and a video demonstration. The tools is based on the Octopus project.

Never a dull day in the blockchain security. See you all in next week’s blockchain threat intelligence!

Week 25, 2019

Coinbase | Firefox | LoudMiner | Libra

No hacks reported this week but an alarming report came from Coinbase exchange about getting targeted by a spear-phishing campaign and two 0day exploits. Several new malware families were also reported including a clever miner hiding in a pirated copy of an audio synthesizer software.

News:

Bugs:

Malware:

  • LoudMiner: Cross‑platform mining in cracked VST software - a really interesting cryptominer sample which came bundled with pirated copies of VST software. VST (Virtual Studio Technology) is a resource intensive audio synthesizer making it ideal to mask mining software. The miner itself was bundled as a QEMU virtual machine making it easy to execute on a variety of platforms and providing a degree of obfuscation.

    Indicators:
    vstcrack[.]com (137[.]74.151.144)
    d-d[.]host (185[.]112.158.44)
    d-d[.]live (185[.]112.156.227)
    d-d[.]space (185[.]112.157.79)
    m-m[.]icu (185[.]112.157.118)
    (see the link above for additional indicators)

  • Malware sidesteps Google permissions policy with new 2FA bypass technique - a new Android malware sample capable of accessing one-time passwords (OTPs) in SMS 2FA messages bypassing previous SMS restrictions. The malware impersonates BtcTurk exchanges and designed to steal credentials for the service.

    Indicators:
    Android/FakeApp.KP
    btcturk.pro.beta 8C93CF8859E3ED350B7C8722E4A8F9A3
    com.app.btsoft.app 843368F274898B9EF9CD3E952EEB16C4
    com.app.elipticsoft.app 336CE9CDF788228A71A3757558FAA012
    com.koinks.mobilpro 4C0B9A665A5A1F5DCCB67CC7EC18DA54

  • Plurox: Modular backdoor - a new modular malware family which supports a number of crypto miner plugins depending on CPU/GPU capabilities of an infected system.

    Indicators:
    178.21[.]11.90
    185.146[.]157.143
    37.140[.]199.65
    194.58[.]92.63
    obuhov2k[.]beget[.]tech
    webdynamicname[.]com
    37.46[.]131.250
    188.93[.]210.42

  • Cryptocurrency-Mining Botnet Malware Arrives Through ADB and Spreads Through SSH - a new mobile malware sample targeting both x86 Linux hosts and Android devices. The malware was mostly discovered in South Korea.

    Indicators:
    45[.]67[.]14[.]179
    http://198[.]98[.]51[.]104:282

Research:

That’s all for this week’s threat intelligence report. Stay safe and see you next week!

Week 24, 2019

Breaking Bitcoin | Rowhammer | Outlaw

In a quick break from a constant stream of compromises and malware, this week had a number of interesting research articles including a novel application of Rowhammer to leak private keys, a fun malware obfuscation technique using certificate files, and a ton of awesome research coming from the Breaking Bitcoin conference (check out links to videos below).

Events:

Hacks:

  • Gatehub Phishing Emails - malicious actors are attempting to exploit the recent news of the Gatehub hack by enticing users to send their XRP to fake Gatehub addresses.

    Indicators:

    Phishing wallet: r9V1Sz1ZSHC1ApwD1rdN71HWjPaLGWPZAX
    Phishing domains:

    http://www.getahub[.]net/
    https://www.getehub[.]com/ 
    https://www.gatahub[.]net/
    http://www.getehub[.]net/
    http://gattehub[.]net/ 
    https://gatehab[.]com/
     

Malware:

  • Outlaw Hacking Group’s Botnet Observed Spreading Miner, Perl-Based Backdoor - a detailed analysis of still in development backdoor and Monero miner written in Perl. As noted by TrendMicro analysts, the malware codebase does not yet appear to be complete with may parts still left unexecuted. The researchers have also noted an APK file found on one of the C2 servers which may indicate future attacks targeting Android devices.

    Indicators:
    146[.]185[.]171[.]227:443 C&C for Backdoor.Perl.SHELLBOT.AB
    5[.]255[.]86[.]129:3333 C&C for Backdoor.Linux.SSHDOOR.AB
    54[.]37[.]70[.]249/.satan
    54[.]37[.]70[.]249/rp
    hxxp://54[.]37[.]70[.]249/.x15cache
    hxxp://54[.]37[.]70[.]249/dota2.tar.gz
    hxxp://54[.]37[.]70[.]249/fiatlux-1.0.0.apk APK file
    hxxp://mage[.]ignorelist[.]com/dota.tar.gz
    mage[.]ignorelist[.]com
    zergbase[.]mooo[.]com

  • CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner - A deserialization vulnerability in Oracle WebLogic server is used to deploy a cryptominer malware. The attack is particularly interesting due to its use of Windows CertUtil to obfuscate on of the downloaded payloads.

    Indicators:
    sysguard.exe-upx (TROJ_GEN.R002C0GDM19)
    e4bc026aec8a76b887a8fc48726b9c48540fc2aa76eb8e61893da2ee6df6ab3a

    sysupdate.exe (Coinminer.Win64.TOOLXMR.SMA)
    4b9842b6be35665174c78c3e4063c645bd6e10eb333f68e4c7840fe823647bdf

    update.ps1 (Trojan.PS1.MALXMR.MPA)
    c30f42e6f638f3e8218caf73c2190d2a521304431994fd6efeef523cfbaa5e81

    cert.cer (Coinminer.Win32.MALXMR.TIAOODCJ.component)
    3a567b7985b2da76db5e5a1d5554f7c13f375d88a27d6e6d108ad79e797adc9a


    hxxp://139[.]180[.]199[.]167:1012/clean[.]bat
    hxxp://139[.]180[.]199[.]167:1012/config[.]json
    hxxp://139[.]180[.]199[.]167:1012/networkservice[.]exe
    hxxp://139[.]180[.]199[.]167:1012/sysguard[.]exe
    hxxp://139[.]180[.]199[.]167:1012/sysupdate[.]exe
    hxxp://139[.]180[.]199[.]167:1012/update[.]ps1
    hxxp://45.32.28.187:1012
    hxxp://45.32.28.187:1012/cert.cer
    hxxps://pixeldrain[.]com/api/file/bg2Fh-d_
    hxxps://pixeldrain[.]com/api/file/cGsOoTyb
    hxxps://pixeldrain[.]com/api/file/cGsOoTyb/wujnEh-n1
    hxxps://pixeldrain[.]com/api/file/DF1zsieq1
    hxxps://pixeldrain[.]com/api/file/TyodGuTm

Research:

  • Researchers use Rowhammer bit flips to steal 2048-bit crypto key - the latest application of the well known attack to steal private keys from memory. Instead of trying to flip bits in memory, researchers from the University of Michigan, Graz University of Technology, and the University of Adelaide and Data61 have instead used the technique as an effective side channel attack called RAMBleed. The article discusses several defenses which make the attack harder such as ECC and TRR.

  • A Formal Treatment of Deterministic Wallets - a research study into a new ECDSA-based hot/cold wallet scheme based on the BIP32 standard.

  • A Huge List of Cryptocurrency Thefts - an awesome collection of major compromises including their root cause and monetary cost. The list starts from Mt.Gox in 2011 and goes all the way to the more recent Binance hack in May, 2019.

Hope you enjoyed all the fun research articles and conference videos mentioned in this edition of Blockchain Intelligence. See you all next week.

Loading more posts…