BlockThreat - Week 19, 2019

This week’s news were dominated with the high profile Binance hack, the largest exchange in the continuing series of compromises. In this edition of the intelligence report I will discuss what went right and wrong with the way Binance handled the incident, an update on the Tron backdoor from last week, a couple of critical bugs, and the latest in the cryptominer malware trends.

News:

• Crypto Traders Ponder Blacklist to Keep Scammers, Thieves at Bay - a Bloomberg article on the recent CORA (Crypto OTC Roundtable Asia) meeting in Chicago on increasing trust in the crypto ecosystem. The attendees have discussed creating both a whitelist of good standing crypto businesses as well as a blacklist of known malicious parties to share among members.

Hacks:

• Binance Security Breach - On May 7, 2019 Binance has shared the news about a breach resulting in a loss of approximately 7000 BTC ($40 million). Based on the official report, the actors were using a variety of advanced techniques including phishing and malware. The analysis of the BTC transaction from the breach has revealed that the attacker has consolidated stolen Bitcoin into seven addresses and avoided immediately moving them to other exchanges. You can track the movement of stolen funds on Sentinel Protocol’s incident tracker.
  
  Several things went well with the incident. Only 2 hours have passed between the transaction above and the public notification, an excellent level of transparency that Binance kept up throughout the investigation. It was also great to see the community coming together to support CZ and Binance! On the other hand, the initial unscheduled server maintenance communication was misleading. The tweet made in the time of high stress on the use of re-org to recover funds has resulted in a backlash. Jimmy Song had a writeup on why this is not the right strategy in case of a compromise.
  
  Binance is planning to resume external deposits and withdrawals on Tuesday. With only a week elapsed since the hack, it also remains to be seen if a sufficient time has passed to fully investigate and kick out the attackers.
• TRX Pro Backdoor Report - a detailed timeline and report explaining how and who backdoored the Tron smart contract and later exploited it. According to the report, the attacker was running an online Tron IDE called http://tronsmartcontract[.]space which he used to add a backdoor at compilation time. The attacker has also spoofed the contract verification check on his site to trick TRX Pro developers into thinking that everything is fine. The incident illustrates the importance of 3rd party code and behavior verification after the contract is deployed on the Tron and other platforms.

Bugs:

• Critical Vulnerability in MakerDAO - a technical writeup on the vulnerability in the MakerDAO governance protocol that could result in a malicious actor removing votes and indefinitely locking user’s MKR tokens. PeckShield has an additional writeup of the vulnerability with source code analysis.
• TRON suffered from a critical bug that could’ve crashed its entire blockchain - a HackerOne report was made public documenting a DoS vulnerability in the way deploy contract function handles large decimals.

Malware:

• CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit - a detailed writeup from Trend Micro on the Linux malware exploiting Confluence to set up XMRig Monero miner. It’s interesting that the malware comes with a rootkit to hide CPU usage and TCP connections.

This concludes the threat intelligence for this week. Stay safe out there and good luck if you are one of the now 60k hunters for the Satoshi’s Treasure.