Week 19, 2019

Binance | CORA | TRX | Confluence

This week’s news were dominated with the high profile Binance hack, the largest exchange in the continuing series of compromises. In this edition of the intelligence report I will discuss what went right and wrong with the way Binance handled the incident, an update on the Tron backdoor from last week, a couple of critical bugs, and the latest in the cryptominer malware trends.

News:

  • Crypto Traders Ponder Blacklist to Keep Scammers, Thieves at Bay - a Bloomberg article on the recent CORA (Crypto OTC Roundtable Asia) meeting in Chicago on increasing trust in the crypto ecosystem. The attendees have discussed creating both a whitelist of good standing crypto businesses as well as a blacklist of known malicious parties to share among members.

Hacks:

  • Binance Security Breach - On May 7, 2019 Binance has shared the news about a breach resulting in a loss of approximately 7000 BTC ($40 million). Based on the official report, the actors were using a variety of advanced techniques including phishing and malware. The analysis of the BTC transaction from the breach has revealed that the attacker has consolidated stolen Bitcoin into seven addresses and avoided immediately moving them to other exchanges. You can track the movement of stolen funds on Sentinel Protocol’s incident tracker.

    Several things went well with the incident. Only 2 hours have passed between the transaction above and the public notification, an excellent level of transparency that Binance kept up throughout the investigation. It was also great to see the community coming together to support CZ and Binance! On the other hand, the initial unscheduled server maintenance communication was misleading. The tweet made in the time of high stress on the use of re-org to recover funds has resulted in a backlash. Jimmy Song had a writeup on why this is not the right strategy in case of a compromise.

    Binance is planning to resume external deposits and withdrawals on Tuesday. With only a week elapsed since the hack, it also remains to be seen if a sufficient time has passed to fully investigate and kick out the attackers.

  • TRX Pro Backdoor Report - a detailed timeline and report explaining how and who backdoored the Tron smart contract and later exploited it. According to the report, the attacker was running an online Tron IDE called http://tronsmartcontract[.]space which he used to add a backdoor at compilation time. The attacker has also spoofed the contract verification check on his site to trick TRX Pro developers into thinking that everything is fine. The incident illustrates the importance of 3rd party code and behavior verification after the contract is deployed on the Tron and other platforms.

Bugs:

Malware:

This concludes the threat intelligence for this week. Stay safe out there and good luck if you are one of the now 60k hunters for the Satoshi’s Treasure.

Week 18, 2019

Outlook | XRP | TRON | Stellar

Welcome to this week’s newsletter! My feeds were filled with news about different variants of crypto malware ranging from traditional cryptominers to more exotic mnemonic phrase stealers and fake QR code generators. Electrum is still getting pounded by the DDoS botnet. Several interesting hacks were reported such as an “accidental” exploitation of a backdoored TRON smart contract, an exchange mishandling unique XRP features resulting in a $2 million loss, and last but not least a string of exchange account compromises coming from the recent Outlook email breach. Finally, the long expected research paper on Stellar weaknesses was released and confirmed our previous speculations on the network being at risk of failure due to over-reliance on just three validators.

News:

  • Cryptocurrency Anti-Money Laundering Report, 2019 Q1 - a detailed report from CipherTrace covering trends in the cryptocurrency ecosystem such as upcoming exchange and digital assets regulations, the use of cryptocurrencies by rogue regimes and criminal organizations, overview of the most recent exchange compromises, exit scams, and fraud cases resulting in $1.3 billion loss.

Malware:

Hacks:

  • Microsoft Outlook Email Breach Targeted Cryptocurrency Users - according to several user reports, the recent Microsoft Outlook breach resulted in the compromise of several exchange accounts.

  • 7 million XRP ($2 million) stolen from Bitopro exchange - just days after adding XRP to its platform, Bitopro exchange was successfully exploited due to mishandling of XRP’s partial payments feature. In this exploit scenario a large amount of XRP is sent to an exchange in a transaction with the tfPartialPayment flag set and a significantly smaller delivered_amount value. A vulnerable exchange which does not properly check for the partial payments flag credits attacker’s account who proceeds to swap and move these funds off the platform. In the case of Bitopro the attacker made a series of partial payment deposits which were apparently successfully accepted by the exchange. The same attacker has also made similar transfers to a number of other exchanges including OOOBTC, BTCexchange, Changelly, Coinvest Plus, and others over the past few months.

  • 26 million TRX ($600k) stolen - on May 3rd a Tron user wojak triggered a vulnerability (or an intentional backdoor) in TronBank’s TRX Pro smart contract to transfer 26.73 million TRX. The flaw was triggered by transferring exactly 0.011911 TRX which resulted in the contract transferring its entire balance. TRX Pro developers refute any backdoor claims; however, the analysis of contract’s bytecode confirms a check for the transfer amount 0x2E87 or 0.011911 TRX which in turn triggers the entire contract to dump its balance to the sender.

Research:

  • Is Stellar as secure as you think? - a whitepaper discussing the risks of cascading failure in the Stellar network due to over-reliance on the three official nodes SDF1, SDF2, and SDF3 by most of the network’s quorum slices. The study presents evidence that in the current network state a failure of only two of the three SDF nodes would result in the rest of the network failing. Stellar Development Foundation has responded to the study by publishing a blog post and more importantly diversifying their own quorum slices. However, even with the recent changes, researchers claim that the network is still at a risk of failure if all three of the official SDF nodes fail indicating a persistent state of reliance on a single entity for network operation.

Never a dull day in cryptocurrency security! Thanks for joining me this week and see you all next Monday for another issue of the blockchain intelligence report.

Week 17, 2019

ZeroCoin | Wallets | Beapy | Ledger

This week we will cover a critical vulnerability in Zerocoin protocol, a research study into weak Ethereum wallets, as well as the latest news in cryptocurrency malware and crime.

News:

Attacks:

Research:

Hope you enjoyed this week’s newsletter. Stay safe and join me next week for the latest in blockchain threat intelligence.

Week 16, 2019

Fancy Bear | CEX | Electrum | EOS

Welcome to this week’s newsletter! The Mueller report was released and contained plenty of interesting revelations about the use of cryptocurrency by both state actors and also investigators following their trail on the blockchain.

News:

Research:

  • Russia’s Bitcoin Hacking Funds — a well researched article revealing wallet addresses and cryptocurrency funds movements mentioned in the Mueller report above.

  • Electrum Bitcoin wallets under siege — an in-depth technical report on the evolution of Electrum wallet malware variants as well as the malware behind the ongoing DDoS campaign targeting the Electrum network.

  • EOS smart contract centralization risks— a new referendum on the EOS network to address a previously unpublicized security risk. By design, smart contract developers currently have complete control over token ownership including the ability to freeze accounts and redirect transfers. These actions can be performed by the smart contract developers without the need for Block Producer votes.

  • Signature Replay Vulnerabilities in Smart Contracts — an interesting discussion of a vulnerable design pattern when checking message signatures without nonces.

And this wraps up blockchain threat intelligence for this week. Stay secure and good luck if you are hunting the Satoshi’s Treasure. It looks like folks are making great progress.

Week 15, 2019

EOS | Stellar | China | TRON

This week we will focus on evolving security risks to several crypto assets such as EOS undergoing a major governance shift, a potential availability issue discovered in Stellar, and an increased risk for reduced hash power for PoW assets due to China’s crackdown.

News:

Bugs:

Hacks:

Products:

Research:

That is all for this week in blockchain threat intelligence. On the fun side, check out Crypto, the movie. This direct to DVD flick is a bit cheesy but still fun to watch.

Loading more posts…