A number of exchange compromises and critical vulnerabilities were reported in the cryptocurrency ecosystem. Bitpoint suffered a $32 million loss and up to 100 exchanges using AlphaPoint, an exchange platform provider, may have been affected as a result of the hack. A significant vulnerability was reported in 0x prompting the exchange shutdown A Cosmos slashing bypass bug triggered an emergency patch.

News:

• US mayors resolve not to pay hackers over ransomware attacks - 225 majors have signed a resolution not to pay ransom in response to the increase of attacks targeting US cities. The action is aimed to de-incentivize further attacks.

Hacks:

• Bitpoint cryptocurrency exchange hacked for $32 million - On July 11, 2019 Bitpoint, a cryptocurrency exchange in Japan, has suffered a breach resulting in the loss of 1225 BTC, 1985 BCH, 11169 ETH, 5108 LTC, and 28106343 XRP. The exchange has published the first report of the breach in under 24 hours and continued releasing a series of reports which included a detailed incident timeline and investigation steps taken. It was interesting to note the role of Japan’s Financial Service Agency (FSA) to ensure timely communication of the compromise with the public.

• MyDashWallet was compromised for 2 MONTHS - a supply chain attack was reported on the Dash forum which suggested the popular online wallet software was collecting users’ private keys through a backdoored 3rd party library - GreasyFork. According to the blog post, the library was added back in April 2018 and the private key stealing code added between May 13th and July 12th.
  
  Indicators: https://api[.]dashcoinanalytics[.]com/stats.php
  

• Up to 100 crypto exchanges worldwide could be affected - a number of exchanges around the world may have lost funds after AlphaPoint, a New York based white label provider of cryptocurrency exchange services, was compromised with a spear-phishing and sim-swapping campaigns. Bitcoins Norway, Foxbit, Coinext, FlowBTC, Casa do Bitcoin, and other exchanges were among those affected.

• Monroe College Hit With Ransomware, $2 Million Demanded - yet another ransomware attack was reported on Wednesday, July 10th asking with a ransom of 170 BTC ($2 million).

Phishing:

• Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor - the hype around Libra coin has triggered a number of phishing domains getting registered with some of them already scamming users to make an early purchase of the coin.

Vulnerabilities:

• The 0x vulnerability, explained - on July 12th, 2019 a critical bug in signature verification caused 0x to shut down the v2 exchange. The vulnerable function accepted a magic value 0x04 as a valid signature for non smart contract accounts. According to the postmortem, there was no evidence that the vulnerability was exploited and the 0x Core Team has patched the vulnerability in the span of a couple of hours.

• CosmosSDK Security Advisory 05-30-2019 - a high severity vulnerability in the staking module was patched on the Cosmos network which allowed malicious actors to bypass token slashing for bad behavior. The bug was actively exploited on the network. A patch and an advisory were released within two days after the team learned of the vulnerability.

Be safe and see you all next week for another issue of Blockchain Threat Intelligence newsletter.

Another quiet week with just a couple of news on critical vulnerabilities in Trezor hardware wallets and Monero. If you are planning to go to Defcon this year, stop by the Blockchain Village for plenty of talks on the blockchain security topics.

Bugs:

• Unfixable Seed Extraction on Trezor - A practical and reliable attack - a critical and unpatchable flaw was found in the Trezor family of hardware wallets which allows a technically sophisticated attacker to extract the master seed. The attack requires physical access to the device. The vulnerability is partially mitigated if a separate strong passphrase is set on top of the master seed to generate HD wallet keys. Trezor wallet team has stated that they were aware of the risk since the design phase.

• Monero security flaw could’ve seen XMR stolen from cryptocurrency exchanges - nine security vulnerabilities were disclosed as part of Monero’s bug bounty program including multiple DoS vulnerabilities and a critical flaw that could trick monero-wallet into thinking that it received arbitrary amount of XMR.

Events:

• Defcon 27 - Blockchain Village - CFP was announced for the upcoming blockchain village with the theme “Blockchain for Security” and “Security for Blockchain”.

• Breaking Bitcoin Training - additional training videos were released from the blockchain security conference last month.

This wraps it up for the quick update in the world of blockchain threat intelligence.

Several arrests were reported this week in UK, Netherlands, and Israel, $4.5 million in crypto assets were stolen from a major exchange in Singapore, and another Florida city settled a ransomware demand to get their computers back online. The increased number of ransomware attacks and folks choosing to pay off attackers appears to be a new trend for this month.

News:

• 6 Arrested in the UK and Netherlands in €24 million cryptocurrency theft - arrests made as a result of an investigation into typo-squatting domains targeting popular cryptocurrency exchanges around the world.

• Two Israeli brothers arrested for phishing and participating in a 2016 hack of Bitfinex - a major arrest of the actors behind various cryptocurrency compromises including the Bitfinex hack amounting to $100 million. The two brothers have allegedly used various phishing tactics, wallet malware, and other techniques.

• Second Florida city pays giant ransom to ransomware gang in a week - another small city in Florida paid 42 BTC ($500,000) in ransom. It is interesting that in both cases the ransom was negotiated and paid by the insurance provider — The League of Cities.

Hacks:

• Hacker steals $4.5 million from Bitrue cryptocurrency exchange - On June 26th, 2019, a malicious actor was able to exploit a vulnerability in Bitrue exchange to steal 9.3 million XRP and 2.5 million ADA coins. The exchange released a notification about the hack on Twitter in about 1 hour after the breach was detected, included attacker’s wallet address, and regular updates on the investigation. Great job on communicating during the incident, Bitrue!
  
  Indicators:
  Attacker’s XRP wallet: rwSvajJ4ZNhjgzcfaJWkEuLh4VURTFHuka

Tools:

• EVulHunter - a new static analysis tool for EOS smart contracts was just released along with a paper and a video demonstration. The tools is based on the Octopus project.

Never a dull day in the blockchain security. See you all in next week’s blockchain threat intelligence!

No hacks reported this week but an alarming report came from Coinbase exchange about getting targeted by a spear-phishing campaign and two 0day exploits. Several new malware families were also reported including a clever miner hiding in a pirated copy of an audio synthesizer software.

News:

• Firefox zero-day was used in attack against Coinbase employees, not its users - two weaponized 0day vulnerabilities were used in a targeted spear-phishing campaign against Coinbase employees. The malicious email would direct users a web page which would attempt to download and execute a first stage malware designed to steal user credentials and collect data about the environment. The attack was detected and blocked by Coinbase Security.

• Florida city pays $600,000 to ransomware gang to have its data back - the latest city-wide ransomware attack has ended with attackers getting paid 65 BTC. The city’s critical infrastructure including 911 dispatch were paralyzed as a result of the hack which contributed to the city making the decision to pay the ransom.

• QuadrigaCX founder used aliases, moved assets into personal accounts - more information was released regarding the failed exchange as a result of Ernst and Young audit. Gerald Cotten was revealed to have made massive transfers of investor funds to his personal accounts on other exchanges before his trip to India.

Bugs:

• Upcoming disclosure of pre-v0.17.1 vulnerabilities - two minor security vulnerabilities (CVE-2017-18350 and CVE-2018-20586) were patched in the most recent version of Bitcoin Core node software.

Malware:

• LoudMiner: Cross‑platform mining in cracked VST software - a really interesting cryptominer sample which came bundled with pirated copies of VST software. VST (Virtual Studio Technology) is a resource intensive audio synthesizer making it ideal to mask mining software. The miner itself was bundled as a QEMU virtual machine making it easy to execute on a variety of platforms and providing a degree of obfuscation.
  
  Indicators:
  vstcrack[.]com (137[.]74.151.144)
  d-d[.]host (185[.]112.158.44)
  d-d[.]live (185[.]112.156.227)
  d-d[.]space (185[.]112.157.79)
  m-m[.]icu (185[.]112.157.118)
  (see the link above for additional indicators)
  

• Malware sidesteps Google permissions policy with new 2FA bypass technique - a new Android malware sample capable of accessing one-time passwords (OTPs) in SMS 2FA messages bypassing previous SMS restrictions. The malware impersonates BtcTurk exchanges and designed to steal credentials for the service.
  
  Indicators:
  Android/FakeApp.KP
  btcturk.pro.beta 8C93CF8859E3ED350B7C8722E4A8F9A3
  com.app.btsoft.app 843368F274898B9EF9CD3E952EEB16C4
  com.app.elipticsoft.app 336CE9CDF788228A71A3757558FAA012
  com.koinks.mobilpro 4C0B9A665A5A1F5DCCB67CC7EC18DA54
  

• Plurox: Modular backdoor - a new modular malware family which supports a number of crypto miner plugins depending on CPU/GPU capabilities of an infected system.

  Indicators:
  178.21[.]11.90
  185.146[.]157.143
  37.140[.]199.65
  194.58[.]92.63
  obuhov2k[.]beget[.]tech
  webdynamicname[.]com
  37.46[.]131.250
  188.93[.]210.42

• Cryptocurrency-Mining Botnet Malware Arrives Through ADB and Spreads Through SSH - a new mobile malware sample targeting both x86 Linux hosts and Android devices. The malware was mostly discovered in South Korea.
  
  Indicators:
  45[.]67[.]14[.]179
  http://198[.]98[.]51[.]104:282

Research:

• ‘Move’ Programming Language: The Highlight of Libra - an interesting article into various security features offered by the Move smart contract programming language for the upcoming Libra cryptocurrency.

• Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques - a good survey of a variety of infection techniques used by malware to steal and mine crypto on compromised hosts.

That’s all for this week’s threat intelligence report. Stay safe and see you next week!

In a quick break from a constant stream of compromises and malware, this week had a number of interesting research articles including a novel application of Rowhammer to leak private keys, a fun malware obfuscation technique using certificate files, and a ton of awesome research coming from the Breaking Bitcoin conference (check out links to videos below).

Events:

• Breaking Bitcoin - Day 1 and Day 2 videos of the conference were released this week. You can also find talk transcripts here. Some of the talks include analysis of Bitcoin privacy techniques, Bitcoin core build system security, extracting seeds from hardware wallets and many others.

Hacks:

• Gatehub Phishing Emails - malicious actors are attempting to exploit the recent news of the Gatehub hack by enticing users to send their XRP to fake Gatehub addresses.
  
  Indicators:

  Phishing wallet: r9V1Sz1ZSHC1ApwD1rdN71HWjPaLGWPZAX
  Phishing domains:

  http://www.getahub[.]net/
https://www.getehub[.]com/ 
https://www.gatahub[.]net/
http://www.getehub[.]net/
http://gattehub[.]net/ 
https://gatehab[.]com/ 

Malware:

• Outlaw Hacking Group’s Botnet Observed Spreading Miner, Perl-Based Backdoor - a detailed analysis of still in development backdoor and Monero miner written in Perl. As noted by TrendMicro analysts, the malware codebase does not yet appear to be complete with may parts still left unexecuted. The researchers have also noted an APK file found on one of the C2 servers which may indicate future attacks targeting Android devices.
  
  Indicators:
  146[.]185[.]171[.]227:443 C&C for Backdoor.Perl.SHELLBOT.AB
  5[.]255[.]86[.]129:3333 C&C for Backdoor.Linux.SSHDOOR.AB
  54[.]37[.]70[.]249/.satan
  54[.]37[.]70[.]249/rp
  hxxp://54[.]37[.]70[.]249/.x15cache
  hxxp://54[.]37[.]70[.]249/dota2.tar.gz
  hxxp://54[.]37[.]70[.]249/fiatlux-1.0.0.apk APK file
  hxxp://mage[.]ignorelist[.]com/dota.tar.gz
  mage[.]ignorelist[.]com
  zergbase[.]mooo[.]com

• CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner - A deserialization vulnerability in Oracle WebLogic server is used to deploy a cryptominer malware. The attack is particularly interesting due to its use of Windows CertUtil to obfuscate on of the downloaded payloads.
  
  Indicators:
  sysguard.exe-upx (TROJ_GEN.R002C0GDM19)
  e4bc026aec8a76b887a8fc48726b9c48540fc2aa76eb8e61893da2ee6df6ab3a

  sysupdate.exe (Coinminer.Win64.TOOLXMR.SMA)
  4b9842b6be35665174c78c3e4063c645bd6e10eb333f68e4c7840fe823647bdf

  update.ps1 (Trojan.PS1.MALXMR.MPA)
  c30f42e6f638f3e8218caf73c2190d2a521304431994fd6efeef523cfbaa5e81

  cert.cer (Coinminer.Win32.MALXMR.TIAOODCJ.component)
  3a567b7985b2da76db5e5a1d5554f7c13f375d88a27d6e6d108ad79e797adc9a
  
  hxxp://139[.]180[.]199[.]167:1012/clean[.]bat
  hxxp://139[.]180[.]199[.]167:1012/config[.]json
  hxxp://139[.]180[.]199[.]167:1012/networkservice[.]exe
  hxxp://139[.]180[.]199[.]167:1012/sysguard[.]exe
  hxxp://139[.]180[.]199[.]167:1012/sysupdate[.]exe
  hxxp://139[.]180[.]199[.]167:1012/update[.]ps1
  hxxp://45.32.28.187:1012
  hxxp://45.32.28.187:1012/cert.cer
  hxxps://pixeldrain[.]com/api/file/bg2Fh-d_
  hxxps://pixeldrain[.]com/api/file/cGsOoTyb
  hxxps://pixeldrain[.]com/api/file/cGsOoTyb/wujnEh-n1
  hxxps://pixeldrain[.]com/api/file/DF1zsieq1
  hxxps://pixeldrain[.]com/api/file/TyodGuTm

Research:

• Researchers use Rowhammer bit flips to steal 2048-bit crypto key - the latest application of the well known attack to steal private keys from memory. Instead of trying to flip bits in memory, researchers from the University of Michigan, Graz University of Technology, and the University of Adelaide and Data61 have instead used the technique as an effective side channel attack called RAMBleed. The article discusses several defenses which make the attack harder such as ECC and TRR.

• A Formal Treatment of Deterministic Wallets - a research study into a new ECDSA-based hot/cold wallet scheme based on the BIP32 standard.

• A Huge List of Cryptocurrency Thefts - an awesome collection of major compromises including their root cause and monetary cost. The list starts from Mt.Gox in 2011 and goes all the way to the more recent Binance hack in May, 2019.

Hope you enjoyed all the fun research articles and conference videos mentioned in this edition of Blockchain Intelligence. See you all next week.