BlockThreat - Week 24, 2020

There was an uptick of scam reports this week ranging from Estonia’s massive cleaning operation, fake Elon Musks, and a fake Privnotes site. Malicious Monero miners are still hacking everything they can get their hands on from Azure Kubernetes servers to vulnerable SQL and Windows boxes. Also, a big oops on Filecoin’s testnet where miners exploited an inflation bug to mint millions.

In other news, Craig Wright may have just self-incriminated himself into hacking Mt. Gox by claiming ownership of one of the attacker’s BTC addresses.

Hacks

• A theory that the recent high fee transactions on Ethereum network were part of the exchange blackmail campaign.

Vulnerabilities

• Inflation Bug discovered and exploited by 6Block on Filecoin’s Testnet with several accounts now holding a billion each. No additional details are available on the vulnerability; however, it appears that the bug is exploitable by miners.

Scams

• A massive crackdown on Estonia’s cryptocurrency companies involved in money laundering and other scams.
• Multiple Youtube channels were hijacked as part of the Elon Musk/Space X impersonation campaign to steal Bitcoin.
• A definitive Ontario Securities commission report on QuadrigaCX exchange.
• A Privnotes[.]com phishing site was found to alter Bitcoin addresses sent in private messages.

Malware

• Kingminer cryptominer targets SQL servers with weak passwords and Windows hosts vulnerable to EternalBlue exploit to install XMRig and Mimikatz payloads.
• A number of misconfigured Azure Kubernetes clusters were exploited to mine Monero.

Research

• A research article by Trail of Bits on exploiting ECDSA nonce bias.
• Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users.
• Attacking Bitcoin Core by Amiti Uttawar.

That’s all for this week in Blockchain Threat Intelligence. Check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter