This week’s news were dominated with the high profile Binance hack, the largest exchange in the continuing series of compromises. In this edition of the intelligence report I will discuss what went right and wrong with the way Binance handled the incident, an update on the Tron backdoor from last week, a couple of critical bugs, and the latest in the cryptominer malware trends.

News:

• Crypto Traders Ponder Blacklist to Keep Scammers, Thieves at Bay - a Bloomberg article on the recent CORA (Crypto OTC Roundtable Asia) meeting in Chicago on increasing trust in the crypto ecosystem. The attendees have discussed creating both a whitelist of good standing crypto businesses as well as a blacklist of known malicious parties to share among members.

Hacks:

• Binance Security Breach - On May 7, 2019 Binance has shared the news about a breach resulting in a loss of approximately 7000 BTC ($40 million). Based on the official report, the actors were using a variety of advanced techniques including phishing and malware. The analysis of the BTC transaction from the breach has revealed that the attacker has consolidated stolen Bitcoin into seven addresses and avoided immediately moving them to other exchanges. You can track the movement of stolen funds on Sentinel Protocol’s incident tracker.
  
  Several things went well with the incident. Only 2 hours have passed between the transaction above and the public notification, an excellent level of transparency that Binance kept up throughout the investigation. It was also great to see the community coming together to support CZ and Binance! On the other hand, the initial unscheduled server maintenance communication was misleading. The tweet made in the time of high stress on the use of re-org to recover funds has resulted in a backlash. Jimmy Song had a writeup on why this is not the right strategy in case of a compromise.
  
  Binance is planning to resume external deposits and withdrawals on Tuesday. With only a week elapsed since the hack, it also remains to be seen if a sufficient time has passed to fully investigate and kick out the attackers.

• TRX Pro Backdoor Report - a detailed timeline and report explaining how and who backdoored the Tron smart contract and later exploited it. According to the report, the attacker was running an online Tron IDE called http://tronsmartcontract[.]space which he used to add a backdoor at compilation time. The attacker has also spoofed the contract verification check on his site to trick TRX Pro developers into thinking that everything is fine. The incident illustrates the importance of 3rd party code and behavior verification after the contract is deployed on the Tron and other platforms.

Bugs:

• Critical Vulnerability in MakerDAO - a technical writeup on the vulnerability in the MakerDAO governance protocol that could result in a malicious actor removing votes and indefinitely locking user’s MKR tokens. PeckShield has an additional writeup of the vulnerability with source code analysis.

• TRON suffered from a critical bug that could’ve crashed its entire blockchain - a HackerOne report was made public documenting a DoS vulnerability in the way deploy contract function handles large decimals.

Malware:

• CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit - a detailed writeup from Trend Micro on the Linux malware exploiting Confluence to set up XMRig Monero miner. It’s interesting that the malware comes with a rootkit to hide CPU usage and TCP connections.

This concludes the threat intelligence for this week. Stay safe out there and good luck if you are one of the now 60k hunters for the Satoshi’s Treasure.

Welcome to this week’s newsletter! My feeds were filled with news about different variants of crypto malware ranging from traditional cryptominers to more exotic mnemonic phrase stealers and fake QR code generators. Electrum is still getting pounded by the DDoS botnet. Several interesting hacks were reported such as an “accidental” exploitation of a backdoored TRON smart contract, an exchange mishandling unique XRP features resulting in a $2 million loss, and last but not least a string of exchange account compromises coming from the recent Outlook email breach. Finally, the long expected research paper on Stellar weaknesses was released and confirmed our previous speculations on the network being at risk of failure due to over-reliance on just three validators.

News:

• Cryptocurrency Anti-Money Laundering Report, 2019 Q1 - a detailed report from CipherTrace covering trends in the cryptocurrency ecosystem such as upcoming exchange and digital assets regulations, the use of cryptocurrencies by rogue regimes and criminal organizations, overview of the most recent exchange compromises, exit scams, and fraud cases resulting in $1.3 billion loss.

Malware:

• The Continuing Evolution of the Shellbot Cryptomining Malware - a new variant of a Linux-based malware can now shut down competing miners on compromised systems. Shellbot propagates using an SSH brute forcer module. The primary payload is a modified XMRig miner configured to mine Monero using MoneroHash pool. The malware is unique in its use of Perl and a now uncommon IRC protocol for command and control.

• Electrum DDoS botnet reaches 152,000 infected hosts - a MalwareBytes article on the malware and infrastructure behind the Electrum DDoS botnet.

• Ledger seed phrase stealing malware - Ledger shared news about a targeted Windows only malware which attempts to trick users into revealing their recovery mnemonic phrase.

Hacks:

• Microsoft Outlook Email Breach Targeted Cryptocurrency Users - according to several user reports, the recent Microsoft Outlook breach resulted in the compromise of several exchange accounts.

• 7 million XRP ($2 million) stolen from Bitopro exchange - just days after adding XRP to its platform, Bitopro exchange was successfully exploited due to mishandling of XRP’s partial payments feature. In this exploit scenario a large amount of XRP is sent to an exchange in a transaction with the tfPartialPayment flag set and a significantly smaller delivered_amount value. A vulnerable exchange which does not properly check for the partial payments flag credits attacker’s account who proceeds to swap and move these funds off the platform. In the case of Bitopro the attacker made a series of partial payment deposits which were apparently successfully accepted by the exchange. The same attacker has also made similar transfers to a number of other exchanges including OOOBTC, BTCexchange, Changelly, Coinvest Plus, and others over the past few months.

• 26 million TRX ($600k) stolen - on May 3rd a Tron user wojak triggered a vulnerability (or an intentional backdoor) in TronBank’s TRX Pro smart contract to transfer 26.73 million TRX. The flaw was triggered by transferring exactly 0.011911 TRX which resulted in the contract transferring its entire balance. TRX Pro developers refute any backdoor claims; however, the analysis of contract’s bytecode confirms a check for the transfer amount 0x2E87 or 0.011911 TRX which in turn triggers the entire contract to dump its balance to the sender.

Research:

• Is Stellar as secure as you think? - a whitepaper discussing the risks of cascading failure in the Stellar network due to over-reliance on the three official nodes SDF1, SDF2, and SDF3 by most of the network’s quorum slices. The study presents evidence that in the current network state a failure of only two of the three SDF nodes would result in the rest of the network failing. Stellar Development Foundation has responded to the study by publishing a blog post and more importantly diversifying their own quorum slices. However, even with the recent changes, researchers claim that the network is still at a risk of failure if all three of the official SDF nodes fail indicating a persistent state of reliance on a single entity for network operation.

Never a dull day in cryptocurrency security! Thanks for joining me this week and see you all next Monday for another issue of the blockchain intelligence report.

This week we will cover a critical vulnerability in Zerocoin protocol, a research study into weak Ethereum wallets, as well as the latest news in cryptocurrency malware and crime.

News:

• Cryptocurrency thief who stole millions from Silicon Valley entrepreneur gets 10 years in prison — a culmination of a SIM swapping crime spree that plagued many cryptocurrency users relying on the insecure SMS protocol for two-factor authentication.

• Hamas shifts tactics in bitcoin fundraising, highlighting crypto risks— a renewed interest in using cryptocurrency to sponsor the terrorist organization. The newly designed donation website shows an increased technical sophistication by generating a new address for every transaction in order to increase privacy.

Attacks:

• Further Disclosure on Zerocoin vulnerability — more details released on the recently exploited cryptographic flaw in the Zerocoin protocol used to forge/inflate new coins. The Zcoin team has released an emergency update to disable Zerocoin until the launch of a replacement protocol.

• Ledger Live Desktop Malware — a new key-stealing malware is spreading targeting Ledger’s desktop software. Once launched, the malware attempts to social engineer users to enter their 24-word mnemonic key before sending it to the attacker.

Research:

• Ethercombing: Finding Secrets in Popular Places — a fascinating research study by ISE into the prevalence of wallets generated with weak keys and an accidental discovery of a ‘blockchain’ bandit who was emptying them. Unlike previous research into guessable brain wallets, the methodology used in the study focuses on key weakening due to truncation.

• Beapy: Cryptojacking Worm Hits Enterprises in China —a threat intelligence report from Symantec on the cryptojacking campaign and the associated malware. The malware uses EternalBlue exploit and other techniques to propagate across Windows machines in the enterprise, but still relies on email as the initial infection vector. You can find more indicators of compromise here.

• Protect Your Solidity Smart Contracts From Reentrancy Attacks — a good survey of different types of reentrancy attacks and preventative measures one can take to avoid them.

Hope you enjoyed this week’s newsletter. Stay safe and join me next week for the latest in blockchain threat intelligence.

Welcome to this week’s newsletter! The Mueller report was released and contained plenty of interesting revelations about the use of cryptocurrency by both state actors and also investigators following their trail on the blockchain.

News:

• Cybercrime and Cryptocurrency in the Mueller Report — the report contains detailed investigation of hacking and dumping operations by the Fancy Bear APT group. It was particularly interesting to read about the widespread use of cryptocurrency (page 36) to fund hacking operations as well as trying to hide their source by mining Bitcoin on CEX.io instead of purchasing it. This opens up a potential new threat to exchanges and miners from financially unmotivated actors interested in obtaining a relatively anonymous source of funds to sponsor their operations. On the other hand, the use of cryptocurrency has also enhanced the investigation and attribution thanks to blockchain forensics.

• Japanese Regulators to Introduce New Rules Regarding Exchanges’ Cold Wallets — a new set of regulations to help establish minimum security requirements following several exchange hacks.

• Crypto Exchanges Collaborate With Bithumb to Freeze Stolen Funds After Major Hack — a great sign of increased maturity in the industry where multiple exchanges have joined forces against thieves to locate and freeze stolen funds.

Research:

• Russia’s Bitcoin Hacking Funds — a well researched article revealing wallet addresses and cryptocurrency funds movements mentioned in the Mueller report above.

• Electrum Bitcoin wallets under siege — an in-depth technical report on the evolution of Electrum wallet malware variants as well as the malware behind the ongoing DDoS campaign targeting the Electrum network.

• EOS smart contract centralization risks — a new referendum on the EOS network to address a previously unpublicized security risk. By design, smart contract developers currently have complete control over token ownership including the ability to freeze accounts and redirect transfers. These actions can be performed by the smart contract developers without the need for Block Producer votes.

• Signature Replay Vulnerabilities in Smart Contracts — an interesting discussion of a vulnerable design pattern when checking message signatures without nonces.

And this wraps up blockchain threat intelligence for this week. Stay secure and good luck if you are hunting the Satoshi’s Treasure. It looks like folks are making great progress.

This week we will focus on evolving security risks to several crypto assets such as EOS undergoing a major governance shift, a potential availability issue discovered in Stellar, and an increased risk for reduced hash power for PoW assets due to China’s crackdown.

News:

• Block Producers change EOS constitution following voting gridlock— a major change to the governance of the EOS network with several security implications. The primary motion was to remove ECAF, an unelected arbitration body known to issue resolutions to freeze and transfer ownership of hacked accounts as well as revert malicious transactions. These capabilities are still available and may be used by the 21 elected block producers (BPs). However, according to the new constitution, BPs are no longer obligated to help with future cases of account compromise or hacks.

• China Plans to Ban Cryptocurrency Mining in Renewed Clampdown — a possible decrease in hash power may present a threat to the resistance of Proof of Work cryptocurrencies against 51% attacks. This is consistent with previous crackdown threats by China against miners, exchanges, and ICOs over the past years.

• Binance Partners with CipherTrace to Further Strengthen Compliance Culture — an interesting announcement that should help Binance boost its AML and blockchain investigation capabilities.

Bugs:

• Is Stellar As Secure As You Think? — an upcoming paper was announced that analyzes a risk of cascading failure in the Stellar network if just 2 validators are shut down. The paper may be referring to the over dependency of the Stellar network on the three official Stellar Nodes. The Stellar Development Foundation (SDF) has been recently diversifying their quorum sets to include more non-SDF validators.

• Fatal TransferMint Bug in Multiple TRC20 Smart Contracts — a vulnerability pattern was discovered by PeckShield team in several TRON contracts implementing TRC20 which can result in token inflation.

Hacks:

• Can a Hardware Wallet Get Phished? — details of a phishing attack targeting Trezor hardware wallet.

• Malicious browser extension targeting MyEtherWallet, Binance, Coinbase, and LocalBitcoins— a detailed thread on cookie and private key stealing browser extension.

Products:

• FireWall.X Mitigates the Risk of Attacks for Apps — an article discusses a novel solution by the SlowMist team to help defend EOS smart contracts. By embedding the FireWall.X library in a smart contract you can detect known bad actors and unwanted token transfer behavior.

Research:

• Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges — a fascinating paper and a corresponding website explore several fraud and security risks introduced by decentralized exchanges (DEX). They document several ongoing gas-replacement and front-running tricks currently being abused by bots as well as increasing incentives for miners to manipulate blocks, transaction ordering to manipulate trades.

That is all for this week in blockchain threat intelligence. On the fun side, check out Crypto, the movie. This direct to DVD flick is a bit cheesy but still fun to watch.