BlockThreat - Week 23, 2019

This week started out with two major hacks targeting Komodo’s Agama wallet through a supply chain attack and the largest XRP theft by far (25 million XRP) from Gatehub.net. There was also an increase in the variety of cryptocurrency related malware, ranging from classic ransomware to increasingly more sophisticated cryptominers and private key harvesters. Microsoft continues to invest in the blockchain industry by adopting Boogie verification framework to Solidity in a tool called VeriSol.

Hacks:

• Plot to steal cryptocurrency foiled by the npm security team - a malicious node.js package electron-native-notify found its way into Komodo’s Agama Wallet designed to steal users’ seed phrases and upload them to a public server. The Komodo team responded by collecting stolen seed phrases on the public server and sending approximately 8 Million KMD and 96 BTC to a secure wallet controlled by Komodo. The attacker has spent months making a useful module and getting it into the supply chain before turning malicious. The malicious module was also designed to store stolen seed phrases on a server which anyone could access in an apparent attempt to obscure attacker’s identity. On the defender side it was great to see a proactive incident response to secure customers’ funds before the attacker had a chance to empty them.
  
  Indicators: Malicious payload :
  https://updatecheck[.]herokuapp[.]com/check
  
• Overview of the “Gatehub hack” - On June 6, 2019 Gatehub has issued a notification regarding a compromise of a number of XRP Ledger wallets hosted on their platform. The internal investigation has shown that the attacker gained access to a database holding access tokens affecting 18473 accounts. XRP Forensics has conducted an unofficial investigation of the hack and concluded that up to ~25 million XRP (~$9 million) was stolen in the hack.
  
  Indicators: Attacker’s XRP accounts:rU6EsDCiHHYbTtA4uGGo8zaaiRz2sbDBST
rN5Gm1FijbTVeYFfpTRfGKfNZQY7hc9TbN
rprMix9uYyQng5vgga1Vg8HTeBMCzaeM2i
rUvPCdYJMzzGu9AFKrNeKgCTpxrpFc3RHt
rJpKe5rbjgzzGJc1wm1xqKj6j4UjBQ6s48
rGSWKo2oiJnJiPEoHvDZTK2XG7RtE62Cbh
rpBDxqWArAQTEfPeWwkUvBh1cbc885nirX
r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k
rKZ14F9KT65chQ382M33U41a4eniGMAyfG
rpfcbzdZZSWdB5EWDGcQvD5ycFhM6jdhpZ
rHvWywQiexNeCLWTa9dBjHTMAtt6tPN7Z1
rMcqiWXMJEAEMXaFFgnjeuASwAMmef8B8c
• Stolen Bitfinex BTC Is on the Move - a number of stolen Bitcoin started moving after laying dormant since the 2016 Bitfinex hack. Bitfinex has confirmed that the funds on the move were not associated with the special recovery procedure outlined in the UNUS SED LEO white paper. Specifically, the paper outlines a “safe and private” way for criminals to return stolen assets while keeping a percentage for themselves as a reward for collaborating.

Malware:

• BlackSquid Slithers Into Servers and Drives With 8 Notorious Exploits to Drop XMRig Miner - Trend Micro reports a new advanced malware family which employs an array of anti-reversing techniques and a library of exploits such as EternalBlue, DoublePulsar, CVE-2014-6287 (Rejetto HTTP File Server), CVE-2017-12615 (Apache Tomcat), CVE-2017-8464 (LNK file), and several ThinkPHP framework exploits. The malware is configured to download XMRig payload to mine Monero cryptocurrency.
• Monero-Mining Malware PCASTLE Zeroes Back In on China, Now Uses Multilayered Fileless Arrival Techniques - Trend Micro reports on a PowerShell-based fileless malware (PCASTLE) retargeting China to install XMRig miner. The malware employs EternalBlue exploit and pass-the-hash technique for propagation.
• Fake Cryptocurrency Trading Site Pushes Crypto Stealing Malware - a malware report on a malware campaign distributed through a fake Cryptohopper trading website. The Vidar malware sample is capable of stealing user’s information such as saved login credentials, cryptocurrency wallets, Authy 2FA databases, etc. The malware would also download and install QuLab trojan which would substitute crypto addresses in the clipboard to the ones controlled by the attacker.
• Baltimore Ransomware Hackers Cost City $18M, Release Documents, Taunt Mayor - the city of Baltimore lost $18M in potential revenue while the city officials were cleaning up their network from RobbinHood ransomware. The malware was most likely downloaded through a phishing email. In a report on KrebsonSecurity.com, Brian notes that the ransomware may be a part of the ongoing ransomware as a service campaign.

Bugs:

• Dependency Audit Retrospective: June 2019 - a retrospective by the Metamask team after 29 high vulnerabilities were reported in the popular Ethereum wallet. The report concludes that the necessary npm audit deployment step was disabled to allow for an emergency fix and never turned back on.

Tools:

• VeriSol - Microsoft Research formal verification tool for Solidity smart contracts. The tool is based on the Boogie verification toolchain and works on the Solidity source code. You can read the announcement on Microsoft’s Research Blog.

That’s all for this week’s newsletter. On the more lighter note, a samaritan developer helped return 2000 ETH accidentally sent a Mainnet instead of a Ropsten address. The recovery was made possible by precisely deploying a Mainnet smart contract which could recover the funds.