Oct 09 2023

Lazarus APT Laundered Over $900 Million Worth of Cryptocurrency

Category: APT,Cryptodisc7 @ 7:24 am

Threat actors have been laundering currencies with multiple methods. One of the most predominant ways they have been using lately was the Cross-chain crime. In a cross-chain crime, threat actors swap their Cryptocurrency between different blockchains and tokens that help maintain their anonymity.

Moreover, this cross-chain crime is carried out using decentralized exchanges (DEXs) and cross-chain bridges. As with the increase in cybercriminal activities such as ransomware attacks, scams, or crypto thefts, this has become an increasingly preferred money laundering method for cybercriminals.

In addition to this, reports also suggest that more than $4.1 billion of illegal funds have been laundered through decentralized exchanges (DEXs), cross-chain bridges, and coin swap services. 

This is estimated to rise to $6.5 billion by the end of 2023 and $10.5 billion by 2025. Another report indicates that $2.7 billion was laundered through cross-chain crime over just a 12-month period between July 2022 and July 2023.

Reason for High Adoption Rate

Threat actors and scammers generate revenue through illegal methods using this cross-chain crime for several reasons, which include the popularity of crypto assets excluding bitcoins among criminals, the anonymity it offers, and stable value assets as some of them are government-backed currencies (Tether (USDT) or DAI).

Another major reason for the adoption is that many cross-asset and cross-chain services other than centralized exchanges do not have ID verification. In addition to this, this method offers protection against tracing by using techniques like prolific asset- or chain-hopping.

Annual figures of cumulative illegal funds laundered
Annual figures of cumulative illegal funds laundered (Source: Elliptic)

Furthermore, it has been discovered that the Lazarus group, responsible for several high-profile cyberattacks, had laundered over $900 million using this method. 

Decentralized services (DEXs), cross-chain bridges, and coin swap services have been found to have laundered over $7 billion of illegal funds as of July 2023. Elliptic researchers have published a complete report about this method and other information.

Tor and the Deep Web: Bitcoin, DarkNet & Cryptocurrency

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Lazarus

Sep 15 2023

Attackers hit software firm Retool to get to crypto companies and assets

Category: App Security,Crypto,Security Toolsdisc7 @ 3:18 pm

Retool, the company behind the popular development platform for building internal business software, has suffered a breach that allowed attackers to access and take over accounts of 27 cloud customers, all in the crypto industry.

According to a CoinDesk report, one the known victims is Fortress Trust, i.e., four of its customers who accessed their crypto funds via a portal built by Retool.

It all started with an SMS

The attack started with spear phishing text messages delivered to a number of Retool employees. According to the company, only one fell for the scheme.

The phishing text message. (Source: Retool)

Spoofed to look like it was coming from the company’s IT department, the goal was to make the targets log in to a fake Retool identity portal, at which point they would receive a phone call by the attacker.

“The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code,” Snir Kodesh, Retool’s head of engineering, shared on Wednesday.

“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite [i.e., Google Workspace] session on that device.”

And because the employee’s MFA codes were synched with their Google account, the attacker now had access to all MFA tokens held within that account.

“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry),” Kodesh noted, and added that the attacker also poked around some of the Retool apps – but didn’t specify which ones.

“We have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.”

Who’s to blame?

“Social engineering can affect anyone,” Kodesh noted, and “even with perfect training and awareness of these attacks, mistakes will happen.” He also put some on the blame for the hack on Google.

The company recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud and made it easier to activate the feature than not to.

“Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this ‘feature’. If you want to disable it, there isn’t a clear way to ‘disable syncing to the cloud’, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync ‘feature’,” he explained.

“Through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.”

Of course, Google cannot be blamed for this breach entirely – Retool should have regularly reviewed the protections they’ve put in place and evaluated whether they are still adequate. After all, attackers have been finding ways around multi-factor authentication for a while now, and the threat landscape is changing quickly.

If the company had used a FIDO2-compliant hardware security key instead of one-time passwords delivered via an authenticator app, this particular social engineering attack would have failed – as a similar attack against Cloudflare employees did a year ago.

The investigation is ongoing

Retool is working with law enforcement and a third party forensics firm to investigate the breach in depth.

So far, they found that 27 cloud customers have been affected (and they notified them all), but that on-premise Retool customers remain secure.

“Retool on-prem operates in a ‘zero trust’ environment, and doesn’t trust Retool cloud. It is fully self contained, and loads nothing from the cloud environment. This meant that although an attacker had access to Retool cloud, there was nothing they could do to affect on-premise customers,” Kodesh noted.

Fortress’ customers, on the other hand, apparently lost nearly $15 million.

UPDATE (September 15, 2023, 04:35 a.m. ET):

“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies,” Google stated.

“Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”

Application Security Program Handbook: A guide for software engineers and team leaders

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

May 09 2023

7 Rules Of Risk Management For Cryptocurrency Users

Category: Crypto,Information Securitydisc7 @ 3:30 pm

Trading or investing in cryptocurrencies can be highly lucrative. But the extreme price movements often discourage beginners to buy cryptocurrencies. However, with a carefully charted risk management plan, it is possible to make gains and minimize losses.

Here are the 7 golden rules of risk management for cryptocurrency traders

Diversify your portfolio

One of the effective risk management strategies for a cryptocurrency trader is to diversify your portfolio. You must ensure that you put only some of the investments in a few carefully chosen cryptocurrencies, instead of putting all your money in just one. For instance, you might consider buying Kusama along with Bitcoin or Ethereum, after checking the Kusama Price on that day.

Set up your stop-loss orders

A stop-loss order, in simple terms, is a preset order that will sell a part or all of the holdings automatically if the cryptocurrency price drops to some extent. It works like a safety net that helps in minimizing the loss for you, provided the market moves against you. When you set stop loss orders, you can reduce the losses and protect the investments. You need to put stop-loss orders at the proper levels.

Use the proper position sizing

Position sizing plays a crucial role in risk management. Regarding position sizing, you need to allocate some specific trade amount in your portfolio. You have to use the correct position size to manage the risk well. You need to ensure that you do not take a lot of trouble on a single trade, as it can lead to a lot of losses. In simple terms, you need to raise only one to 2% of the complete portfolio on one trade, so even if there is a loss, it will not impact your portfolio to a great extent.

Set only realistic profit goals

When you have a clear profit goal at the back of your mind, you can manage risk to a great extent. You need to ensure realistic profit goals depending on the market trends and technical analysis. Avoid getting greedy when you are in the grade you set unrealistic high profits, which can lead to risky trading decisions. You have to ensure that you are disciplined, stick to the profit target, and lock in the gain at the right time.

Do your own research (DYOR)

Information and market sentiment play a crucial role in the cryptocurrency market, so you must have all the information regarding the trade and prices. When you have the correct information on the latest developments and news, you can trade well. To have the correct information, you must do some research on all the cryptocurrencies that you are trading, like the technology market capitalization trading volume and historical price performance.

Consider using leverage with care

Leverage makes it very easy for you to trade with a considerable capital amount, and it is eventually more than what you have. Leverage is both a boon and, of course, it can lead to huge profits and losses at the same time. 

Even though leverage can help in improving your potential income, it can also increase the risk of losses to a great extent. You need to use leverage with a lot of care and thoroughly understand all the risks involved before you consider implementing it in your strategy.

Lastly, you need to ensure that you keep your leverage high and have the right stop-loss orders whenever you are trading with leverage. This will help you in managing your risk well.

Manage your emotions

Emotions like fear or greed can have a significant impact on your decision-making process, and they can also lead to impulsive trading decisions. This can lead to risks unnecessarily, so it is essential for you to keep a check on your emotions and maintain a rational approach while you are trading. You need to ensure that you avoid making any impulsive decisions based on fear or greed and stick to your risk management plan. It is OK to take a step back and reconsider your emotions when you feel that your emotions are taking over. 

In short, risk management is a critical element of cryptocurrency trading, considering the volatile nature of the market. When you follow these rules for risk management, you can indeed reduce your potential losses.

Cryptocurrency Risk Management

 InfoSec tools | InfoSec services | InfoSec books

Tags: cryptocurrency, Cryptocurrency Risk Management

Apr 06 2023

Hackers use Rilide browser extension to bypass 2FA, steal crypto

Category: 2FA,Crypto,Information SecurityDISC @ 12:45 pm
Hackers use Rilide browser extension to bypass 2FA, steal crypto
Security researchers discovered a new malicious browser extension called Rilide, that targets Chromium-based products like Google Chrome, Brave, Opera, and Microsoft Edge.

The malware is designed to monitor browser activity, take screenshots, and steal cryptocurrency through scripts injected in web pages.

Researchers at Trustwave SpiderLabs found that Rilide mimicked benign Google Drive extensions to hide in plain sight while abusing built-in Chrome functionalities.

The cybersecurity company detected two separate campaigns that distributed Rilide. One was using Google Ads and Aurora Stealer to load the extension using a Rust loader. The other one distributed the malicious extension using the Ekipa remote access trojan (RAT).

Two campaigns pushing Rilide
Two campaigns pushing Rilide (Trustwave)

While the origin of the malware is unknown, Trustwave reports that it has overlaps with similar extensions sold to cybercriminals. At the same time, portions of its code were recently leaked on an underground forum due to a dispute between cybercriminals over unresolved payment.

A parasite in the browser

Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system.

Malicious extension on Edge
Malicious extension on Edge (Trustwave)

If there’s a match, the extension loads additional scripts injected into the webpage to steal from the victim information related to cryptocurrencies, email account credentials, etc.

The extension also disables ‘Content Security Policy,’ a security feature designed to protect against cross-site scripting (XSS) attacks, to freely load external resources that the browser would normally block.

In addition to the above, the extension regularly exfiltrates browsing history and can also capture screenshots and send them to the C2.

Capabilities graph
Rilide’s capabilities graph (Trustwave)

Bypassing two-factor authentication

An interesting feature in Rilide is its 2FA-bypassing system, which uses forged dialogs to deceive victims into entering their temporary codes.

The system is activated when the victim initiates a cryptocurrency withdrawal request to an exchange service that Rilide targets. The malware jumps in at the right moment to inject the script in the background and process the request automatically.

Once the user enters their code on the fake dialog, Rilide uses it to complete the withdrawal process to the threat actor’s wallet address.

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser,” explains Turstwave in the report.

“The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.”

Replacing the email while extracting the 2FA code
Replacing the legitimate email (right) while extracting the 2FA code (Trustwave)

Rilide showcases the growing sophistication of malicious browser extensions that now come with live monitoring and automated money-stealing systems.

While the roll-out of Manifest v3 on all Chromium-based browsers will improve resistance against malicious extensions, Trustwave comments that it won’t eliminate the problem.



InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: bypass 2FA, Rilide browser extension

Jun 29 2022

Harmony blockchain loses nearly $100M due to hacked private keys

Category: Crypto,CryptograghyDISC @ 2:45 pm

Another day, another De-Fi (decentralised finance) attack.

This time, online smart contract company Harmony, which pitches itself as an “open and fast blockchain”, has been robbed of more than $80,000,000’s worth of Ether cryptocoins.

Surprisingly (or unsurprisingly, depending on your point of view), if visit Harmony’s website, you’ll probably end up totally unware of the massive loss that the business just suffered.

Even the business’s official blog, linked to from the website, doesn’t mention it.

The most recent blog article dates to the very start of 2022, and is entitled Lost Funds Investigation Report.

Unfortunately, those lost funds aren’t these lost funds.

Apparently, at the start of the year, those lost funds happened when five individuals were ripped off to the tune of just over 19 million of Harmony’s ONE tokens, then apparently worth about 25 US cents each.

Harmony made an offer, back on 04 January 2022, stating that:

We wish to provide the suspect an opportunity to communicate with the Harmony Foundation and return all funds. Harmony will not pursue further legal action or dox your identity so long as we receive your full cooperation. The team will offer you a bounty to reveal how this theft was performed so long as it can be validated.

We’re not sure whether it’s legal for a company to offer to rewrite history to pretend that an unauthorised and probably illegal hack was actually legitimate research, though it did seem to work in the infamous $600 million hack of Poly Networks.

The perpetrator in that case made a flurry of curious pseudo-political blockchain announcements ALL IN CAPS, written in artifically poor English, to claim that money wasn’t the motivator behind the crime.

Ultimately, after currying favour with the cracker by adopting the nickname Mr White Hat, Poly Networks (to many people’s astonishment, including our own) got most of their funds back.

We’re also not sure just how much insulation from prosecution any offer from the victim not to “press charges” is likely to provide, given that in many countries, it’s the state that usually takes the decision to investigate, charge and prosecute suspects for criminal offences.

Some countries, such as England, do give private individuals (including professional bodies or charities) the right to conduct a private prosecution if the state doesn’t want to do it, but they don’t give crime victims a “corollary right” to prevent the state from prosecuting a case if it does want to do so.

Nevertheless, Poly Networks’ unexpected success in recovering more than half-a-billion dollars has encouraged other cryptocurrency businesses to try this “wipe the slate clean” approach, presumably on the grounds that there’s often not much else they can do.

But it doesn’t seem to work terribly often.

It certainly didn’t seem to work for Harmony in January 2022, though if the perpetrator hasn’t yet been able to cash out their ill-gotten gains, they might regret not taking up the offer.

By 15 January 2022, when Harmony’s fake “bug bounty offer” expired, ONE tokens peaked at $0.35, but have since sunk to below 2.5 cents each, according to CoinGecko.

Cryptography for Secure Encryption

Tags: Cryptography for Secure Encryption, hacked private keys

May 18 2022

Microsoft warns of the rise of cryware targeting hot wallets

Category: Crypto,MalwareDISC @ 8:58 am

Microsoft researchers warn of the rising threat of cryware targeting non-custodial cryptocurrency wallets, also known as hot wallets.

Microsoft warns of the rise of cryware, malicious software used to steal info an dfunds from non-custodial cryptocurrency wallets, also known as hot wallets. Data stolen from this kind of malware includes private keys, seed phrases, and wallet addresses, that could be used by threat actors to initiate fraudulent transactions.

“Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them.” reads the post published by Microsoft.

The experts pointed out that the theft of cryptocurrency is irreversible, unlike credit cards and other financial transactions there is no mechanism to reverse fraudulent transactions.

This cryware is automating the scanning process for hot wallet data exposed online.

The increasing popularity of cryptocurrency is attracting cybercrime that is using different means to target the cryptocurrency industry. Below is a list of threats that are currently leveraging cryptocurrency:

  • Cryptojackers. One of the threat types that surfaced and thrived since the introduction of cryptocurrency, cryptojackers are mining malware that hijacks and consumes a target’s device resources for the former’s gain and without the latter’s knowledge or consent. Based on our threat data, we saw millions of cryptojacker encounters in the last year.
  • Ransomware. Some threat actors prefer cryptocurrency for ransom payments because it provides transaction anonymity, thus reducing the chances of being discovered.
  • Password and info stealers. Apart from sign-in credentials, system information, and keystrokes, many info stealers are now adding hot wallet data to the list of information they search for and exfiltrate.
  • ClipBanker trojans. Another type of info stealer, this malware checks the user’s clipboard and steals banking information or other sensitive data a user copies. ClipBanker trojans are also now expanding their monitoring to include cryptocurrency addresses.

Microsoft described the techniques used by crooks to steal hot wallet data, including clipping and switching, memory dumping, wallet file theft, phishing sites and fake applications, and keylogging.

Experts also warn of scams and other social engineering attacks that cybercriminals use to trick victims into sending funds to the attackers’ wallets.

Microsoft recommends users and organizations lock hot wallets when not actively trading, disconnect sites connected to the wallet, never store private keys in plaintext, ensure that browser sessions are terminated after every transaction, enable MFA for wallet authentication, double-check hot wallet transactions and approvals, use hardware wallets to store private keys offline.

Blockchain Security from the Bottom Up: Securing and Preventing Attacks on Cryptocurrencies, Decentralized Applications, NFTs, and Smart Contracts

The secret CIA Bitcoin project that became a trillion-dollar Trojan horse

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: cryware

Jan 20 2022

Crypto.com: Fortune Favors the Hacker—$16M ‘Stolen’

Category: Crypto,HackingDISC @ 10:18 pm

DeFi: A Planet-Burning Ponzi Scheme

What’s the craic, you ask? Andrew Asmakov answers—“Crypto.com Suffers Hack for At Least $15M”:

“Definitely worse”
The platform has yet to confirm that it has indeed been attacked [but] Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts.” … A household name in Asian markets, the Singapore-based exchange recently spent $700 million to buy the naming rights to the Staples Center—the Los Angeles home venue of the NBA’s Lakers and Clippers.

Events took a turn for the worse when security research company Peckshield [said] Crypto.com has lost at least 4,600 ETH (around $15 million in current prices) [and] that the true scale of the damage is “definitely worse.” … Peckshield added that half of the stolen funds were sent to Tornado Cash, the Ethereum-centric mixing service.

Remarkably, a few hours later, Crypto.com CEO Kris Marszalek said that no customer funds were lost.

A small number of users? Such as? Emily Nicolle notes one of them—“Crypto.com Suspends Withdrawals”:

“$16.3 million”
Several users had reported on social media that their cryptocurrencies, at times equating to tens of thousands of dollars, had disappeared from their Crypto.com accounts in recent days. … Technical issues on crypto trading platforms have become commonplace as the hype surrounding digital assets grows.

Crypto influencer and podcast host Ben Baller said in a tweet on Monday that around 4.28 Ether, which equates to roughly $14,000, had been “stolen out of nowhere” [despite] two-factor authentication security measures. … Baller later alleged … a wallet belonging to Crypto.com had lost approximately 5,000 Ether, which equates to roughly $16.3 million.

A spokesperson from Crypto.com didn’t respond to a request for comment.

And Andy Greenberg adds color and context—“North Korean Hackers Stole Nearly $400 Million in Crypto Last Year”:

Crypto.com: Fortune Favors the Hacker

Crypto Wars: Faked Deaths, Missing Billions and Industry Disruption

Tags: Crypto.com

Jan 02 2022

North Korea-linked threat actors stole $1.7 billion from cryptocurrency exchanges

Category: Crypto,CybercrimeDISC @ 10:57 am

North Korea-linked threat actors are behind some of the largest cyberattacks against cryptocurrency exchanges.

North Korea-linked APT groups are suspected to be behind some of the largest cyberattacks against cryptocurrency exchanges. According to South Korean media outlet Chosun, North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.

According to local media, US federal prosecutors believe that North Korea’s government considers cryptocurrency a long-term investment and it is amassing crypto funds through illegal activities.

In a classified report cited by Chosun, the US National Intelligence Service (DNI) found that North Korea was financing its ‘priority policies’, such as nuclear and missile development, through cybercrime. Government experts noticed that nation-state actors are not immediately cashing out all the stolen crypto to create a crypto fund reserve.

“Citing the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the media reported that all banks in the world are being targeted by North Korea’s cyberattacks. It also reported that North Korea is committing cybercriminals such as stealing defense secrets from major powers, using ransomware to steal funds, hijacking cryptocurrencies, and “laundering” criminal proceeds into cryptocurrencies.” reads a post published by Chosun.

“Then, citing the results of investigations by the United States and the UN Security Council, it was estimated that the Kim Jong-un regime’s fraudulent profits from cyber crimes have already reached $2.3 billion (about 2.7 trillion won).”

The report states that North Korea-linked attacks employed the AppleJeus malware to steal cryptocurrency. According to Bloomberg, multiple versions of Apple Zeus have been used in attacks against entities in 30 countries since 2018, and according to a UN and US investigation, between 2019 and November 2020, North Korean hackers stole $316.4 million in cryptocurrency through this program. 380 billion.

According to Chosun, North Korea’s dependence on cybercrime will increase due to international sanctions that limit the amount of money that North Korea can earn from coal exports to $400 million (about 480 billion won) per year.

The Infinite Machine: How an Army of Crypto-hackers Is Building the Next Internet with Ethereum

Tags: Crypto-hackers, North Korea-linked threat

Oct 15 2021

U.S. Treasury Offers Crypto Guidance Amid Ransomware Surge

Category: Crypto,Information Security,RansomwareDISC @ 12:48 pm

US Treasury says there was $590M in suspicious ransomware activity in H1 2021, exceeding the entire amount in 2020, when $416M was reported  —  Suspicious activity reports related to ransomware jumped significantly in 2021, according to the U.S. Treasury Department’s Financial Crimes Enforcement Network.

There was $590 million in suspicious activity related to ransomware in the first six months of 2021, exceeding the entire amount in 2020, when $416 million was reported, according to a report released Friday by the U.S. Treasury Department’s Financial Crimes Enforcement Network.

The average amount of reported ransomware transactions per month in 2021 was $102.3 million, according to the report. If the current trend continues, suspicious activity reports filed in 2021 “are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined,” according to the report. SARs is shorthand for suspicious activity reports.

U.S. based cybersecurity companies filed most of the SARs related to ransomware while banks and cryptocurrency exchanges filed more than a third of the reports. The reports reflect just how quickly ransomware attacks have grown.

The report offers new insight into the scale of ransomware attacks devastating U.S. businesses and impacting critical infrastructure. A Treasury spokesperson said the SARs don’t represent all ransomware payments. 

Reporting ransomware payments to the Treasury via a suspicious activity report is often a requirement of cybersecurity insurance policies, according to a person familiar with the matter. 

The Treasury Department also identified 68 ransomware variants, noting that the most commonly reported types were REvil, Conti and DarkSide. Ransomware groups often sell their malware, or variant, to affiliates who then use it to plot attacks, in what is known as ransomware-as-a-service. REvil, Conti and DarkSide are suspected by cybersecurity firms of being tied to Russia in some way — because they use the Russian language or are suspected of being based there.  

The report was filed as the Treasury Department issued guidance to the virtual currency industry to prevent exploitation by entities sanctioned by the U.S. and ransomware groups. It is part of a broader effort by the Biden administration to attempt to curb ransomware attacks. In ransomware attacks, hackers encrypt a victim’s files and promise to unlock them if they are paid a fee.

Among the more notable attacks were those in May on Colonial Pipeline Co. in May that squeezed fuel supplies on the East Coast and on the meatpacker JBS SA

The Treasury report stated that ransomware actors are increasingly requesting payment in cryptocurrencies like Monero, which are designed to enhance anonymity. 

More: BleepingComputerThe RecordCNETThe HillPYMNTS.comCyberScoop, and CoinDesk

Tags: Ransomware Surge, U.S. Treasury

Sep 01 2021

Threats Grow as Digital Wallets Gain Popularity

Category: Crypto,Cyber ThreatsDISC @ 11:35 am

The pandemic, as well as users’ personal preferences, have helped enable the rapid emergence of digital payment applications and digital wallets, which compete with credit cards and cash as preferred payment options.

The growing popularity of digital wallets such as Google Pay, Samsung Pay and Apple Pay is making them a bigger target for malicious actors, according to a report from security analytics software specialist Cognyte.

The study, which collected and analyzed threat actors’ conversations about digital wallets from 2016 through 2020, found the number of threat actors’ interactions around the topic almost doubled from 2017 to 2018.

By 2019, this number grew by 456%, reaching 31,878 interactions and by 2020 it grew by another 292%, reaching 96,363 interactions.

Increase in Popularity and Threats

Next Generation Crypto Hardware Wallet

Trezor Model T - Next Generation Crypto Hardware Wallet with LCD Color Touchscreen and USB-C, Store your Bitcoin, Ethereum, ERC20 and more with Total Security

Tags: Digital Wallets

Aug 31 2021

Skimming the CREAM – recursive withdrawals loot $13M in cryptocash

Category: CryptoDISC @ 11:54 am

You must have had that happy feeling (happiest of all when it’s still a day or two to payday and you know that your balance is paper-thin) when you’re withdrawing money from a cash machine and, even though you’re still nervously watching the ATM screen telling you that your request is being processed, you hear the motors in the cash dispensing machinery start to spin up.

That means, even before any banknotes get counted out or the display tells you the final verdict, that [a] you’ve got enough funds, [b] the transaction has been approved, [c] the machine is working properly, and [d] you’re about to get the money.

Well, imagine that if you hit the [Cancel] button at exactly the right moment between the mechanism firing up and the money being counted out…

…and if your timing was spot on, then your card would stay in the machine, your account wouldn’t get debited, and you’d be asked if you wanted to try again, BUT YOU’D GET THE CASH FROM THE CANCELLED TRANSACTION ANYWAY!?!!?

And imagine that, as long as you kept pressing that magic button at just the right moment, you could loop back on yourself and layer ghost withdrawal on ghost withdrawal…

…until the machine finally ran out of money, or hit some internal software limit on recursive withdrawals, or you decided to quit while you were ahead and get clear of the ATM before an alarm went off.

Blockchain Bubble or Revolution: The Future of Bitcoin, Blockchains, and Cryptocurrencies

Tags: cryptocash

Aug 11 2021

Hacker grabs $600m in cryptocash from blockchain company Poly Networks

Category: CryptoDISC @ 11:06 pm

Remember Mt. Gox? Sure you do!

Although it’s usually said aloud as “Mount Gox”, as if it were a topographic feature, it actually started life as MTGOX, short for Magic: The Gathering Online Exchange, where MTG fans could trade cards via the internet.

The web domain was eventually repurposed for what was, back in 2014, the world’s biggest Bitcoin cryptocurrency exchange.

Mt. Gox was headquartered in Japan, holding what was then a mind-blowing $500,000,000 in other people’s bitcoins (BTC).

And then a strange thing happened: the money, or at least the bitcoins, vanished, just like that.

We’ve never really found out what happened.

Early suggestions blamed a cryptographic flaw known as transaction malleability, but sceptics argued that this sort of treachery, even if if were possible on such an epic scale, would be visible in the Bitcoin transaction record, also known as the blockchain.

Simply put, transaction malleability means that two different transactions can be rigged to have the same supposedly unique identifier. Crooked transactors could, in theory, fraudulently concoct duplicate-yet-different transaction pairs, and use these transactions to trick a naive exchange into thinking that something had gone wrong. Them the crooks could dishonestly repudiate one of the transactions in each pair and demand a refund.

Some experts say that Bitcoin and cryptocurrencies are just a scam; others say they’re “the most important invention since the internet.” It’s hard to tell who’s right.

Authored by Silicon Valley leaders from Google, Microsoft, and Facebook, Bubble or Revolution cuts through the hype to offer a balanced, comprehensive, and accessible analysis of blockchains and cryptocurrencies.

Tags: cryptocurrency

Jun 13 2021

FBI/AFP-Run Encrypted Phone

Category: Backdoor,Crypto,CryptograghyDISC @ 9:33 am

If there is any moral to this, it’s one that all of my blog readers should already know: trust is essential to security. And the number of people you need to trust is larger than you might originally think. For an app to be secure, you need to trust the hardware, the operating system, the software, the update mechanism, the login mechanism, and on and on and on. If one of those is untrustworthy, the whole system is insecure.

It’s the same reason blockchain-based currencies are so insecure, even if the cryptography is sound.

Tags: Australia, backdoors, cryptocurrency, encryption, FBI, law enforcement, trust

Jun 02 2021

Critical 0day in the Fancy Product Designer WordPress plugin actively exploited

Category: Crypto,Zero dayDISC @ 9:41 pm

Researchers from the Wordfence team at WordPress security company Defiant warn that a critical zero-day vulnerability, tracked as CVE-2021-24370, in the Fancy Product Designer WordPress plugin is actively exploited in the wild.

Fancy Product Designer is a premium plugin that allows customers to design and customize any kind of product in their online stores, it is currently installed on more than 17,000 websites.

Experts pointed out that the vulnerability could be exploited only in certain configurations, but even if the plugin is not active.

Attackers are exploiting the flaw to extract order information from site databases, anyway, this vulnerability is likely not being attacked on a large scale.

Users could modify their products by uploading images and PDF files, but experts noticed that the checks in place to prevent malicious files from being uploaded are not sufficient and could be easily be bypassed

“Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed.” reads the post published by the experts. “This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.”

The flaw has been rated with a CVSS score of 9.8 out of 10, an attacker could exploit the issue to upload executable PHP files to online stores that have the plugin installed.

Tags: plugin exploited

Apr 28 2021

Microsoft Defender uses Intel TDT technology against crypto-mining malware

Category: Crypto,Information SecurityDISC @ 2:08 pm

Microsoft announced that Microsoft Defender for Endpoint, its commercial version of Windows 10 Defender antivirus, implements a new mechanism that leverages Intel’s Threat Detection Technology (TDT) to block cryptojacking malware using

Cryptojacking malware allows threat actors to secretly mine for cryptocurrency abusing computational resources of the infected devices.

The Intel TDT technology allows sharing heuristics and telemetry with security software that could use this data to detect the activity associated with a malicious code. Intel TDT leverages machine learning to analyze low-level hardware telemetry produced by the CPU performance monitoring unit (PMU) and uses it to detect the malware code execution “fingerprint” at runtime. TDT is currently implemented in Intel Core processors and any Intel CPU series that supports Intel vPro technologies, 6th Generation or later.

“Today, we are announcing the integration of Intel Threat Detection Technology (TDT) into Microsoft Defender for Endpoint, an addition that enhances the detection capability and protection against cryptojacking malware.” reads the announcement published by Microsoft. “TDT leverages a rich set of performance profiling events available in Intel SoCs (system-on-a-chip) to monitor and detect malware at their final execution point (the CPU). This happens irrespective of obfuscation techniques, including when malware hides within virtualized guests, without needing intrusive techniques like code injection or performing complex hypervisor introspection. TDT can further offload machine learning inference to the integrated graphics processing unit (GPU), enabling continuous monitoring with negligible overhead.”

Microsoft Defender uses Intel TDT technology against crypto-mining malware

Tags: crypto-mining malware

Apr 03 2021

Decrypting Cryptocurrencies

Category: CryptoDISC @ 10:50 am

Cryptocurrencies are a topic that touches many areas; not only finance and investing but technology and even political arenas. Although apolitical in itself, it is the structure behind these cryptocurrencies that make them a much talked about subject amongst political purists from across the political spectrum. This structure can be boiled down to the following; think of cryptocurrencies as a ‘big spreadsheet’, and when you ‘mine’ crypto you essentially fill in the spreadsheet, keeping the ledger up to date on who is transferring currency to another party.

It is perhaps this decentralised nature which has contributed to the meteoric rise of cryptocurrency value. Modern investors see the value in having an immutable ledger, meaning that external users or third-parties cannot tamper with previous transactions. This becomes more crucial when you consider the impact that quantitative easing has had on the economy over the past several decades. Cryptocurrencies, compared to their physical counterparts, are practically immune from quantitative easing as there is a predetermined number of coins in circulation at one time meaning that they are impervious to inflation. This has contributed to more individuals over the years turning to cryptocurrencies as a ‘safe-haven asset’ in the same way that investors would traditionally turn to gold. In my eyes, I see Bitcoin as better at being Gold than Gold itself, because of its ability to be infinitely divisible into micro units and decimal points of a Bitcoin rather than a single gold coin. It also inherits another important characteristic of Gold which has fuelled its rise in price, it is finite – there will only ever be 21 million of them in circulation (once all mined). Compare this to standard modern currency, on money printing and inflation consider this: a fifth of all US Dollars were created in 2020, and now in 2021 President Biden is considering a $1.9 Trillion stimulus plan. Indeed, it is this effort by central banks across the globe to print their way out of a pandemic/unstable economy that – in my opinion – has led to the exponential price increase in Bitcoin during 2020 rather than any other factor. As long as this continues (which it almost certainly will), faith in fiat currency will wane and interest in “unprintable” cryptocurrencies will only increase.

more on: Decrypting Cryptocurrencies

Blockchain Bubble or Revolution:

Tags: Decrypting Cryptocurrencies

Apr 03 2021

Attackers are abusing GitHub infrastructure to mine cryptocurrency

Category: CryptoDISC @ 10:41 am

Code repository hosting service GitHub launched an investigation in a series of attacks aimed at abusing its infrastructure to illicitly mine cryptocurrency.

Such kind of attacks was reported at least since the end of 2020, when some software developers reported the malicious activity on their repositories.

“I was attacked by a github user that crafted a malicious github action to start a crypto-mining program inside an action run. He triggered it in my github actions thanks to a shitty pull request.” reads a post reporting a similar attack.

The Record reported that threat actors are abusing the GitHub Actions feature which was implemented to allow the automatic execution of software workflows.

Experts warn that threat actors are targeting repositories that have this feature enabled to add malicious GitHub Actions and fill malicious Pull Requests to execute the malicious attacker’s code.

“In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.” reported The Record.

“But the attack doesn’t rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.”

In recent attacks, threat actors are executing their own malicious code to mine cryptocurrency miners on the infrastructure of the code repository hosting service, in some cases, attackers could deploy hundreds of miners in a single attack.

Tags: mine cryptocurrency

Mar 08 2021

How Hackers Cash out Stolen Bitcoin & Ransomed

Category: CryptoDISC @ 4:35 pm

Since cryptocurrency transactions are virtually anonymous, cybercriminals use them in dark markets for illicit trading. Through ransomware attacks like WannaCry, Petya, Locky, and Cerber, hackers receive a lot of money. Moreover, we learn about cryptocurrency trading hack every so often, wherein attackers steal thousands of dollars in Bitcoin. But how they cash out or convert stolen money into fiat currency?

An example of how much hackers are after cryptocurrencies is the recent news of “thefts of 2020”. Bitcoin is one of the massively valuable cryptocurrencies in which about half a billion dollars in total stolen.

After stealing thousands of cryptocurrencies from exchanges and ransomware targets, understandably, cybercriminals will not retain them in electronic form. The next move is to turn cryptocurrency into real-world currency. Several cryptocurrency platforms enable cybercriminals to cash out their bitcoin without being detected, i.e., anonymously.

According to Google researchers, many victims buy bitcoins through Craigslist and Localbitcoins. And since 2014, more than 95% of all bitcoin payments received from ransomware targets were cashed out through a Russian bitcoin exchange called BTC-E.

As per a report by Chainalysis, cybercriminals use progressively rigorous techniques to transform illicitly acquired cryptocurrency into real money. Criminal entities sent $2.8 billion in bitcoin via cryptocurrency exchanges in 2019. And attackers utlize platforms known as “over-the-counter brokers” to turn cryptocurrency into real money.

Tags: Cash out Stolen Bitcoin

Mar 08 2021

UnityMiner targets unpatched QNAP NAS in cryptocurrency mining campaign

Category: Crypto,CybercrimeDISC @ 11:11 am

Researchers at 360Netlab are warning of a cryptocurrency malware campaign targeting unpatched network-attached storage (NAS) devices.

via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)

Threat actors are exploiting two unauthorized remote command execution vulnerabilities, tracked as CVE-2020-2506 & CVE-2020-2507, in the Helpdesk app that have been fixed by the vendor in October 2020.

The flaws affect QNAP NAS firmware versions prior to August 2020.

The malware involved in the campaign was dubbed UnityMiner by 360 Netlab experts.

“On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507, upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.” reads the analysis published by 360 Netlab.

Threat actors customized the program by hiding the mining process and the real CPU memory resource usage information to hide the malicious activity to QNAP owners that could check their system usage via the WEB management interface.

The mining program is composed of unity_install.sh and Quick.tar.gz. unity_install.sh downloads, set up and execute cryptocurrency miner and hijack the manaRequest.cgi program of the NAS. Quick.tar.gz contains the miner program, the miner configuration file, the miner startup script and the forged manaRequest.cgi. Unity is an XMRig cryptocurrency miner.

360 Netlab shared its findings with the vendor on March 3rd, and due to the possible big impact, the researchers publicly disclosed the attacks.

All NAS devices with QNAP firmware released before August 2020 are currently vulnerable to these attacks. 

The experts reported 4,297,426 QNAP NAS potentially vulnerable devices exposed online, 951,486 having unique IP addresses, most of them are located in the United States, China, and Italy.

Tags: cryptocurrency mining, QNAP NAS, UnityMiner

Mar 04 2021

The Ultimate Blockchain & Bitcoin Guide

Category: CryptoDISC @ 12:15 pm

Let us start with a scenario. Whenever there is an election, we always hear the rumor that there is rigging in the election. In the end, the result is either re-election or a recount of the votes. This whole process is a waste of time and money. If we cannot believe this system the first time, how can we do it a second time? And it is a great scenario where blockchain can be used in real life.

Now, what is the Blockchain?

If you search blockchain on google, you get millions of results that tell us about blockchain. Judging by these millions of findings, it turns out that blockchain technology is one of the cutting-edge and popular technologies. Blockchain is a decentralized, transparent, and trustless system in which there is no need for any middleman or central authority. The best example of this is all companies like banks, where the middleman is involved. Blockchain is a trustless system, and it uses algorithms to build trust within decentralized systems. Often, we hear a word with blockchain is unchangeable, which means that whatever is written once inside the blockchain can never be erased again. Blockchain performs two functions, reading and creating.

Most people think that blockchain is bitcoin and limited to cryptocurrency or only the financial industry uses it. But in fact, blockchain can solve lots of real-world problems like we talked about voting system in the beginning. So, blockchain is an online distributed system in which you store information, and this information can also be access by other parties. All information is store inside a block or container like a register. And all the accounts we call block/register link to each other like a chain, as its name suggests blockchain.

There are three things in each block within the blockchain.

  • Data of the block: This block contains all information like sender, receiver, coins, source, or destination address, etc.
  • Hash of the block datait is known as the backbone of blockchainHash is the encryption technique uses to secure the data. It is never easy to decrypt the hashes as they use a fixed length of alphanumeric for encryption. And the hash value always stays unique.
  • Hash of the previous blockHelp to create a chain with the previous hash of the block.

Source: The Ultimate Blockchain & Bitcoin Guide

Tags: Blockchain & Bitcoin Guide, Blockchain Bubble or Revolution

Next Page »