BlockThreat - Week 13, 2019

This week was filled with news of cryptocurrency exchanges in Asia getting hacked. Coincidentally, check out Kaspersky’s report on the Lazarus APT group and their efforts to attack crypto businesses in Asia. At this rate, exchanges experiencing outage must reassure their customers that they are safe (or may actually be hacked).

Hacks:

• DragonEx exchange hacked — a confirmed compromise on March 24th resulted in a loss of BTC, ETH, EOS, USDT, and other crypto assets worth $6 million. PeckShield published a great report on the movements of stolen funds and attackers’ addresses.
• Bithumb exchange hacked — $19 million worth of EOS and XRP assets were stolen on March 29th from Bithumb’s hot wallet in the reported insider attack (Korean). SlowMist team has documented the compromise timeline here.
• BiKi exchange hacked — On March 25th, BiKi reported $133,000 loss due due to a compromise of a 3rd party SMS code verification service(Chinese).
• Etbox platform hacked — On March 24th, Etbox reported a $132,000 loss as a result of the hot wallet compromise (Chinese).

News:

• The CoinBene situation: $105 million in crypto on the move — there are growing fears that the exchange may have been compromised contrary to the official statement.
• Cryptocurrency businesses still being targeted by Lazarus — a continuous campaign by Lazarus APT group (North Korea) targeting cryptocurrency organizations in Asia. Group’s malware arsenal now includes macOS backdoors in addition to Powershell and Office droppers.
• Gustuff Banking and Crypto Malware — a new generation of Android malware targeting Banking and Crypto Services. Gustuff can interact with legitimate apps such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase, etc. by abusing Android Accessibility Services to fill out fields and trigger transactions. Gustuff can also display fake push notifications to point users to fake login pages to steal credentials. It uses SMS as a propagation mechanism.
• Kraken Security Labs — Kraken announced new security efforts to help improve the security of the entire cryptocurrency ecosystem.
• Youtube advertising backdoored version of Electrum Wallet — a malicious link was found embedded in a Youtube video, directing users to download a backdoored version of software from a typosquatted domain.

Bugs:

• Solidity Optimizer and ABIEncoderV2 Bug — Solidity compiler 0.5.7 fixes a buffer overflow bug in Ethereum smart contracts using the experimental ABIEncoderV2 pragma.
• EOS Block Producers are exploiting a protocol bug to manipulate votes — EOS voting protocol implements a voter decay mechanism to give newer BPs a chance to get elected with newer votes. Block producers like EOS Cafe have been exploiting a bug to effectively disable voter decay and ensure their place on the top.
• Stellar suffered (and quietly patched) a 2.2 billion XLM inflation bug in 2017 — more information became available about a bug which was successfully exploited two years ago to generate 2.25 billion worth of Stellar Lumens.
• Istanbul bug bounty announcement — 20 ETH bug bounty was announced for the upcoming Istanbul fork.

Tools:

• Detecting the Top 4 Critical Ethereum Smart Contract Vulnerabilities with MythX — using Sabre with MythX to discover vulnerabilities in a local Solidity contract.

Research:

• Visualizing HTLCs and the Lightning Network’s Dirty Little Secret — an interesting research article discussion an edge case in Lightning network where payments sent below the BTC dust threshold may result in funds loss.

Events:

• CCTF event is now over — challenges are still live if you would like to experiment with smart contract security.

This wraps up the intelligence collected for this week. As always feel free to drop a line on any interesting news that I may have missed.