In a quick break from a constant stream of compromises and malware, this week had a number of interesting research articles including a novel application of Rowhammer to leak private keys, a fun malware obfuscation technique using certificate files, and a ton of awesome research coming from the Breaking Bitcoin conference (check out links to videos below).
Breaking Bitcoin - Day 1 and Day 2 videos of the conference were released this week. You can also find talk transcripts here. Some of the talks include analysis of Bitcoin privacy techniques, Bitcoin core build system security, extracting seeds from hardware wallets and many others.
Gatehub Phishing Emails - malicious actors are attempting to exploit the recent news of the Gatehub hack by enticing users to send their XRP to fake Gatehub addresses.
Outlaw Hacking Group’s Botnet Observed Spreading Miner, Perl-Based Backdoor - a detailed analysis of still in development backdoor and Monero miner written in Perl. As noted by TrendMicro analysts, the malware codebase does not yet appear to be complete with may parts still left unexecuted. The researchers have also noted an APK file found on one of the C2 servers which may indicate future attacks targeting Android devices.
146[.]185[.]171[.]227:443 C&C for Backdoor.Perl.SHELLBOT.AB
5[.]255[.]86[.]129:3333 C&C for Backdoor.Linux.SSHDOOR.AB
hxxp://54[.]37[.]70[.]249/fiatlux-1.0.0.apk APK file
CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner - A deserialization vulnerability in Oracle WebLogic server is used to deploy a cryptominer malware. The attack is particularly interesting due to its use of Windows CertUtil to obfuscate on of the downloaded payloads.
Researchers use Rowhammer bit flips to steal 2048-bit crypto key - the latest application of the well known attack to steal private keys from memory. Instead of trying to flip bits in memory, researchers from the University of Michigan, Graz University of Technology, and the University of Adelaide and Data61 have instead used the technique as an effective side channel attack called RAMBleed. The article discusses several defenses which make the attack harder such as ECC and TRR.
A Formal Treatment of Deterministic Wallets - a research study into a new ECDSA-based hot/cold wallet scheme based on the BIP32 standard.
A Huge List of Cryptocurrency Thefts - an awesome collection of major compromises including their root cause and monetary cost. The list starts from Mt.Gox in 2011 and goes all the way to the more recent Binance hack in May, 2019.
Hope you enjoyed all the fun research articles and conference videos mentioned in this edition of Blockchain Intelligence. See you all next week.