Week 32, 2019
Blockchain Village | Binance | Coinbase | APT41
|Aug 16, 2019|| 1|
For those of you still recovering from BlackHat/Defcon conferences, I am happy to report that the Blockchain Security village was a real success! Featuring about two dozen high quality talks and two competitions running in parallel it felt like a conference within a conference. Watch out for Defcon releasing conference recordings in the next few weeks to check out some of the talks. There are also a number of security talks coming up during the upcoming Berlin’s blockchain week covered below.
In other news, Binance was a hot topic with an extortion attempt and a cache of leaked KYC data, U.N. report on North Korea raising funds through hacking every cryptocurrency exchange and bank it can get to, an excellent APT 41 report on a Chinese nation-state actor targeting cryptocurrency industry when it’s not busy running espionage operations, and plenty of new malware to watch out for.
North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report - a report discussing at least 35 instances of attacks targeting financial institutions, cryptocurrency exchanges and miners to generate income for alienated nation state.
Responding to Firefox 0-days in the wild - a deep dive into the exploit and the actors behind an attempted hack targeting Coinbase in June. The blog discusses a sophisticated and long-term spear phishing attack, a well prepared 0-day payload, and the response by the Coinbase Security team.
An Extortion Gone Bad: Inside Binance’s Negotiations With Its ‘KYC Leaker’ - the story behind the recent KYC leak. The article features an interview with an alleged actor behind the leak who also suggests to have access to some of the 7000 BTC stolen from Binance in July. Binance released a separate statement regarding the leak where it discussed an apparent 300 BTC extortion attempt not to release stolen data as well as a 25 BTC reward for any information leading to the capture of the people behind the leak.
Web3 Summit 2019 - a security node during the Web3 summit on August 19-21 will include workshops on everything Ethereum security from Solidified, MythX, Zeppelin, and others.
#blockchainhackers vol.3 - a security meetup on August 22nd during Berlin blockchain week which will include speakers from ConsenSys, Hacken, ChainSecurity, SmartDec, and others.
Capture the Coin - a month long CTF competition has kicked off during the Blockchain Village at Defcon and will continue until September 9th. The competition includes a number of blocksec related challenges such as smart contract exploitation, cryptography puzzles, blockchain investigations, wallet malware, and others. A number of my coworkers at Coinbase and myself have put together this competition and hope you will enjoy playing it.
Chain Heist - an excellent CTF-style competition which includes a number of vulnerable Ethereum smart contracts covering a wide-range of security issues. The main event is over where I had a privilege to compete and win the main prize; however, all of the challenges are still up and you can play them today.
Binance Hack 2019 – A Deep Dive Into Money Laundering And Mixing - a research article investigating the recent surge in activity of a crypto mixing service - Chipmixer. The article links the activity to BTC stolen from Binance and BitPoint exchanges.
ShapeShift Security Update - an in-depth discussion of a recently reported side channel attack against ShapeShift (and other hardware wallets).
Bitcoin vaults with anti-theft recovery/clawback mechanisms - a soft fork proposal to create a delay period where a wallet owner could observe and response to funds theft.
Double Dragon - APT 41, a dual espionage and cyber crime operation - a detailed report by FireEye into a state-sponsored actor conducting a number of financially motivated intrusions in addition to espionage and surveillance operations. Group’s focus on virtual currency targets including in-game currencies, cryptocurrencies, and related services are of particular interest to the readers. The report provides detailed view of group’s malware capabilities, initial compromise and further exploitation techniques. In at least one instance the group attempted to install ransomware and in another deployed XMRig miner.
246 Findings From our Smart Contract Audits: An Executive Summary - a details statistical analysis of vulnerability classes discovered as part of 23 security audits with a total of 246 security findings. Data validation and access control flaws were the most common findings constituting 36% and 10% of total findings respectively. The report also points out that almost 49% of the findings are unlikely to be discovered with static or dynamic analysis tools and require a human auditor to detect.
The Elliptic Data Set: opening up machine learning on the blockchain - background information on the recently released bitcoin transaction data set.
Bitcoin Security under Temporary Dishonest Majority - a research study which examines several scenarios where a dishonest majority temporarily takes over the Bitcoin network.
Access Mining - How a Prominent Cryptomining Botnet is Paving the Way for a Lucrative and Illicit Revenue Model - a Carbon Black detailed report on a Smominru cryptominer which now started to exfiltrate data and provide remote access. The campaign has links Smominru to a separate MyKings botnet and a marketplace which sells access to infected hosts.
Clipsa – Multipurpose password stealer - an Avast Antivirus report on a Visual Basic malware sample capable of steal cryptocurrency wallets, brute-forcing Wordpress credentials, silently changing cryptocurrency addresses in clipboard, and installing XMRig miner.
BTC Addresses (Clipboard replacement):
ETH Address (Clipboard replacement):
Saefko: A new multi-layered RAT - a Zscaler report into a new .NET malware with remote execute, keylogging, connection proxying, and data stealing capabilities. The malware is interesting because it specifically targets machines with evidence of user visiting major cryptocurrency company websites including Coinbase, Kraken, Shapeshift, Bitfinex, and others.
Hashing It Out #55 – Diligence – Steve Marx - an interesting podcast into the birth and mission of ConsenSys Dilligence to secure Ethereum smart contracts.
Crytic: Continuous Assurance for Smart Contracts - a continuous integration tool to automatically run an array of smart contract security tests.
That’s all for this busy week in blockchain threat intelligence. Stay safe and see you next week?