BlockThreat - Week 30, 2019

This week had several data leak incidents involving millions of records by two cryptocurrency companies - QuickBit and YouHodler. Leaked data included credit card numbers, names, wallet addresses, and other PII. On a more positive side, Kudelski Security released a blockchain security wargame called FumbleChain and What Bitcoin Did podcast hosted an interesting interview with Kraken’s CISO.

Hacks:

• Stock market listed cryptocurrency retailer QuickBit exposes over 300,000 records - More than 300 thousand records were leaked from a Swedish cryptocurrency exchange, QuickBit. The leak included customer names, payment data, date of birth, and other sensitive data. The exposed MongoDB database was originally mapped by Shodan on June 28th and locked down 5 days later after a notification by Comparitech and Bob Diachenko.
• YouHodler Breach Exposes Data for Thousands of Cryptocurrency Users - 86 million records were exposed by a cryptocurrency lender, YouHodler. Exposed data contained names, credit card numbers, banking details, wallet addresses, and other sensitive information. The leak was discovered by security researchers at vpnMentor as part of their project to search for open databases on the Internet. YouHodler has closed database access within 24 hours after being notified.

Research:

• Introducing FumbleChain - A Purposefully Vulnerable Blockchain - a great project by Kudelski Security to raise awareness about blockchain security through a series of wargames. Check out the related Arsenal demo at the upcoming BlackHat 2019 conference.
• Improving JoinMarket's resistance to sybil attacks using fidelity bonds - a new proposal to increase the cost of running sybil attacks by burning or time-locking coins.

Media:

• Nicholas Percoco on Defending the Crypto Honeypot - an interesting interview with a Kraken CISO on different threats in the cryptocurrency ecosystem, shares some details on how Kraken defends its users and employees. Nicholas has a particularly fun background coming from early hacking, doing security research at SpiderLabs, and being a part of the “I am the Cavalry” movement.

Malware:

• Multistage Attack Delivers BillGates/Setag Backdoor, Can Turn Elasticsearch Databases into DDoS Botnet ‘Zombies’ - an in-depth report on the evolution of malware strain targeting vulnerable Elasticsearch databases to mine crypto and install backdoors.
  
  Indicators:
  
  Filesystem IOCs:
  Hashes Detected as ELF_SETAG.SM (SHA-256):
  8ebd963f86ba62f45b936f6d6687ccb1e349a0f8a6cc19286457895c885695c8 (.pprt)
  cfe3dccf9ba5a17e410e8e7cf8d0ff5c1b8688f99881b53933006250b6421468 (.ppol)Network IOCs:
  hxxps://crazydavesslots[.]com/[.]ppol
  hxxp://aduidc[.]xyz

See you all next week in another edition of Blockchain Threat Intelligence!