We are all recovering from last week’s epic Twitter hack so this week’s edition is full of research articles and workshop recordings to help you relax and recharge.

News

• Woz is suing Youtube to get better at taking down “Bitcoin Giveaway” scams.

Malware

• New malware framework from Lazarus APT which frequently targets cryptocurrency businesses. MATA: Multi-platform targeted malware framework. The malware supports Windows, Linux, and MacOS operating systems and has backdoor, process and file manipulation, proxy, and DLL injection capabilities.

Research

• Ethereum Foundation’s Eth 2.0 Attacknets contest has the first winner who was able to break finality for 16 epochs! Details are now available here.

• Ethereum mempool may have been intentionally manipulated in order to cause congestion and win over 1000 zero-bid auction on MakerDAO during March’s Black Thursday event.

• Video recording of ISSTA 2020 Workshop on Smart Contract Analysis:
  00:00:00 - Ethainter: A Smart Contract Security Analyzer for Composite Vulnerabilities -- Neville Grech
  00:30:19 - SMT-Based Effective Formalization of Reference Types in Solidity -- Ákos Hajdu
  01:00:42 - Verification of Parameterized Smart Contracts -- Arthur Scott Wesley 01:38:42 - Echidna: Effective, Usable, and Fast Fuzzing for Smart Contracts -- Gustavo Grieco
  02:05:00 - VeriSol: Bringing Formal Verification to Solidity Smart Contract Developers -- Shuvendu K. Lahiri & Diego Garbervetsky
  02:41:07 - Rump

• He who controls the hashpower controls the PoW chain. The Alchemy of Hashpower explores different components of the mining market and discusses economic forces behind the total hash rate.

Fun

• Romantic Hacker. That’s the name of the upcoming South Korean TV series involving hackers, fictional cryptocurrency exchanges, and of course romance.

That’s all for this week in Blockchain Threat Intelligence. Be sure to check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter

This week was filled with news, reports, and speculations about the Twitter hack which luckily resulted in a minimum loss of funds relative to other major incidents this year. Additional details are available about the Cashaa exchange hack and Ethereum devs open a bug bounty program for the upcoming 2.0 upgrade.

Hacks

• On Wednesday July 15, 2020, Twitter.com experienced a mass scale attack resulting in the compromise of cryptocurrency related, celebrity, company accounts. Hijacked accounts were used to advertise a giveaway scam first hosted on a cryptoforhealth[.]com and after the site was taken down in the tweet itself:

  

  There are several reports about the perpetrators behind the attack. It boils down to a group of young adults who managed to social engineer Twitter employees to access internal tools. The attackers have used a similar scheme in many previous campaigns together with massive blobs of corrupted Unicode left over from a Russian phishing kit.

  

  Shortly after the scam campaign was over multiple blockchain analytics companies have started tracking stolen Bitcoin to mixing services, exchanges, and gambling sites. While the incident resulted in 130 Twitter accounts hijacked and about $120k worth of Bitcoin stolen this could have been a lot worse if not for a low sophistication of attackers, scam website quickly going down, and exchanges blocking sends to scammers’ addresses.

• Cashaa provided some updates on the incident last week. The theft reportedly came from an employee running OTC operations from his personal, malware infested machine while using a bunch on 3rd party wallets.

• Ethereum 2.0 developer is challenging White Hats to find bugs in the upcoming network upgrade.

Research

• Wendy, the Good Little Fairness Widget

• Lightning Sucks 2: Electric Boogaloo

• SmartBugs: A Framework to Analyze Solidity Smart Contracts

• Trivial Collisions in Iota’s Hash Function (Kerl)

• Following the Blockchain.com feerate recommendations - Wallet fingerprinting nearly a third of all Bitcoin transactions

• An Ever-evolving Game: Evaluation of Real-world Attacks and Defenses in Ethereum Ecosystem

Tools

• Ethereum 2.0 - Beacon Fuzzer

Thanks for joining me this week and see you in another edition of Blockchain Threat Intelligence newsletter. In the meantime, head over to /r/blocksec for up to date information on the current threats.

Continuing with the blockchain exploitation trend from last week, Bitcoin Gold has almost suffered a 51% attack if not for developers learning of a massive mining operation. Check out a thrilling incident report by Ravencoin folks racing against the clock to kick out attackers exploiting an inflation bug. Cashaa exchange had a few million dollars worth of crypto stolen and other news in this edition of BlockThreat.

Hacks

• On July 10, 2020 Bitcoin Gold developers announced an attempted 51% attack on their network. An attacker mined massive 1300 blocks on Nicehash in secret starting on July 1st. It is not clear how BTG developers learned of the impeding attack; however, they were able to secretly supply miners updated node software with a checkpoint at block height 640650. News of these actions were only made public after the attacker posted their chain on July 10th only to find their blocks dropped by legitimate miners. According to Crypto51.app, it costs only $297 per hour to attack Bitcoin Gold by renting hash power on NiceHash.

• Additional details have been posted about the Ravencoin inflation bug last week. In a detailed incident report, Ravencoin Vulnerability - WTF Happened?, asset developer has revealed that the bug was intentionally introduced by a throwaway Github account on January 15th, 2020. The malicious change was disguised as an addition of custom error messages while leaving out an important check which prevented minting of new RVNs. The minting has started in May and continued for months until they were accidentally discovered on June 29, 2020 by CryptoScope while debugging an issue in their blockchain explorer. After the discovery, Ravencoin developers went into a full incident mode until the fix that they have first secretly shared with RVN miners activated on July 4, 2020. By then, 300M RVN ended up on Binance and additional 7M RVN were traded away on OKEx. The race against the clock described in the incident report between developers trying to secretly push out the change and activate the soft fork while not tipping off the original and newer attackers is fascinating! Highly recommend the above read for many incident handling lessons and a gripping story telling by Tron Black.

• On July 10, 2020 Cashaa exchange lost 336 BTC after an attacker compromised one of its Blockchain.com wallets. No additional details are available.

Vulnerabilities

• Kraken Security Labs published two attacks for the newer Ledger Nano X hardware wallets. Both attacks rely on an insecure supply chain where a malicious party reflashes Ledger’s firmware. In the first scenario, Kraken researchers have reprogrammed Ledger to act as a keyboard to launch Kraken.com before booting into regular firmware. In the second scenario, a malicious firmware could turn off the display to aid in a social engineering attack. In both cases Ledger Live app reported device as genuine.

Research

• Ethereum Smart Contract Security Recommendations by Consensys.

• A survey of features introduced in Solidity v0.6.0 which help prevent common smart contract vulnerabilities such as reentrancy, mishandled exceptions, and others.

• Hunting for Re-Entrancy Attacks in Ethereum Smart Contracts via Static Analysis

• Decentralized Lightweight Detection of Eclipse Attacks on Bitcoin Clients

Tools

• Legions is a swiss army knife by Consensys Dilligence to interact with smart contracts and Ethereum nodes.

Fun

• What could be better than snakes on a plane? How about a 90s style flick about a billion dollars in crypto on an armored plane circling around the world while hosting an illegal gambling ring. Trailer.

Stay informed, stay healthy, and head over to /r/blocksec subreddit for blockchain security news through the week.

-Peter

Stand-alone blockchain vulnerabilities are rare but they still happen. Ravencoin was exploited with an inflation bug to mint 31M RVN while Tendermint patched up a DoS vulnerability. Another DeFi project was exploited to steal $900k. On the happier side of the week, our hero Harry hacked a phishing campaign C2 to save $5k worth of crypto for users who downloaded a fake wallet software.

Vulnerability

• Inflation bug was discovered and exploited in Ravencoin. $5.1M worth of RVN (31M coins or 1.5% of the total supply) were minted and already deposited to exchanges.

• A successfully exploited vulnerability in Vether resulted in $900k worth of VETH loss.

• Tendermint DoS vulnerability allowed block producers to include signatures for the wrong block resulting in a network halt on networks using the vulnerable version. The Cosmos network was using an unaffected version of Tendermint.

• A potential social engineering attack vector in Ledger Live wallet when dealing with Bitcoin’s Replace by Fee (RBF) transactions. The wallet increases user’s balance with the value of an unconfirmed transaction and does not decrease it when it is cancelled.

Research

• Harry’s quest to hack the phishers and save (and return) $5000 worth of crypto. The phish involved a fake Trust Wallet app on Google Play store and some really bad php code. You are my hero!

• Epicenter episode with Dan Guido: Trail of Bits - The Evolution of Smart Contract Security

• Ethainter - A Smart Contract Security Analyzer for Composite Vulnerabilities

Crime

• UCSF was forced to pay $1.14M or 116.4 BTC to ransomware attackers.

• Cryptocurrency Scam Book

Thanks for joining me this week and see you in another edition of Blockchain Threat Intelligence newsletter. Head over to /r/blocksec for up to date information on the current threats.

-Peter

Another week, another DeFi exploit or two. Unfortunately, this time the bad folks were able to steal $500k worth of tokens. It’s too bad Balancer devs dismissed an earlier bug bounty report. ClearSky released a detailed report on CryptoCore APT which is dedicated to breaking into cryptocurrency exchanges. On a more fun side checkout someone almost getting caught by a honeypot smart contract and submit your blockchain security related talk to Defcon’s Blockchain Village.

Vulnerabilities

• Two Balancer multi-token pools were exploited resulting in a loss of $500k. The attacker used a flash loan to exploit a vulnerability in the way Balancer deals with deflationary tokens. In the incident report by Balancer, the team revealed that the issue was reported to their bug bounty but dismissed as impractical to exploit.

• Two vulnerabilities were reported in Atomic Loans smart contracts which could allow a malicious borrower to unlock their BTC collateral without repaying their loan by front-running a loan cancellation transaction. The vulnerability was responsibly disclosed and patched by the developer.

Events

• Defcon’s Blockchain Village is back this year and its CFP is now open. Last year, the village featured a number of excellent blockchain security related talks and multiple CTF competitions.

Malware

• Another day, another XMR cryptojacking malware. Palo Alto published a report on two variants of Lucipher malware which use an arsenal of exploits targeting Windows hosts.

• A more stealth approach to cryptojacking uses malicious Docker images to mine Monero.

Crime

• CryptoCore APT threat intelligence report by ClearSky Security provides an in-depth analysis of group’s tactics, infrastructure, and indicators. CryptoCore has stolen approximately $200M over the last two years while attacking exchanges in United States, Japan, and other countries. The group is unique in its focus on cryptocurrency exchanges as opposed to more general financial APTs.

• Gone Phishing with Malware and Bitcoin analyzes DOJ’s forfeiture complaint against 113 cryptocurrency accounts used in a mass phishing campaign to spread North Korean Fallchill malware and infiltrate an exchange.

• $188 million in ETH tied to PlusToken Ponzi moves for first time since December

Research

• A fun writeup on a honeypot contract found on Ethereum.

• Double spend attacks in the PoS network is an interesting exploration of this common attack pattern on staking network.

• Counting Down Thunder: Timing Aacks on Privacy in Payment Channel Networks

• Minerva: The curse of ECDSA nonces

• CoinPolice: Detecting Hidden Cryptojacking Attacks with Neural Networks

• Remote Side-Channel Attacks on Anonymous Transactions

That’s all for this week in Blockchain Threat Intelligence. Be sure to check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter