BlockThreat - Week 32, 2019

For those of you still recovering from BlackHat/Defcon conferences, I am happy to report that the Blockchain Security village was a real success! Featuring about two dozen high quality talks and two competitions running in parallel it felt like a conference within a conference. Watch out for Defcon releasing conference recordings in the next few weeks to check out some of the talks. There are also a number of security talks coming up during the upcoming Berlin’s blockchain week covered below.

In other news, Binance was a hot topic with an extortion attempt and a cache of leaked KYC data, U.N. report on North Korea raising funds through hacking every cryptocurrency exchange and bank it can get to, an excellent APT 41 report on a Chinese nation-state actor targeting cryptocurrency industry when it’s not busy running espionage operations, and plenty of new malware to watch out for.

News:

• North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report - a report discussing at least 35 instances of attacks targeting financial institutions, cryptocurrency exchanges and miners to generate income for alienated nation state.
• Responding to Firefox 0-days in the wild - a deep dive into the exploit and the actors behind an attempted hack targeting Coinbase in June. The blog discusses a sophisticated and long-term spear phishing attack, a well prepared 0-day payload, and the response by the Coinbase Security team.
• An Extortion Gone Bad: Inside Binance’s Negotiations With Its ‘KYC Leaker’ - the story behind the recent KYC leak. The article features an interview with an alleged actor behind the leak who also suggests to have access to some of the 7000 BTC stolen from Binance in July. Binance released a separate statement regarding the leak where it discussed an apparent 300 BTC extortion attempt not to release stolen data as well as a 25 BTC reward for any information leading to the capture of the people behind the leak.

Events:

• Web3 Summit 2019 - a security node during the Web3 summit on August 19-21 will include workshops on everything Ethereum security from Solidified, MythX, Zeppelin, and others.
• #blockchainhackers vol.3 - a security meetup on August 22nd during Berlin blockchain week which will include speakers from ConsenSys, Hacken, ChainSecurity, SmartDec, and others.
• Capture the Coin - a month long CTF competition has kicked off during the Blockchain Village at Defcon and will continue until September 9th. The competition includes a number of blocksec related challenges such as smart contract exploitation, cryptography puzzles, blockchain investigations, wallet malware, and others. A number of my coworkers at Coinbase and myself have put together this competition and hope you will enjoy playing it.
• Chain Heist - an excellent CTF-style competition which includes a number of vulnerable Ethereum smart contracts covering a wide-range of security issues. The main event is over where I had a privilege to compete and win the main prize; however, all of the challenges are still up and you can play them today.

Research:

• Binance Hack 2019 – A Deep Dive Into Money Laundering And Mixing - a research article investigating the recent surge in activity of a crypto mixing service - Chipmixer. The article links the activity to BTC stolen from Binance and BitPoint exchanges.
• ShapeShift Security Update - an in-depth discussion of a recently reported side channel attack against ShapeShift (and other hardware wallets).
• Litecoin Dusting Attack - a notification and a linked research article by Binance into the ongoing dusting attack on the Litecoin network.
• Bitcoin vaults with anti-theft recovery/clawback mechanisms - a soft fork proposal to create a delay period where a wallet owner could observe and response to funds theft.
• Double Dragon - APT 41, a dual espionage and cyber crime operation - a detailed report by FireEye into a state-sponsored actor conducting a number of financially motivated intrusions in addition to espionage and surveillance operations. Group’s focus on virtual currency targets including in-game currencies, cryptocurrencies, and related services are of particular interest to the readers. The report provides detailed view of group’s malware capabilities, initial compromise and further exploitation techniques. In at least one instance the group attempted to install ransomware and in another deployed XMRig miner.
  
  Indicators:
  
  Domains:
  agegamepay[.]com
  ageofwuxia[.]com
  ageofwuxia[.]info
  ageofwuxia[.]net
  ageofwuxia[.]org
  bugcheck.xigncodeservice[.]com
  byeserver[.]com
  dnsgogle[.]com
  gamewushu[.]com
  gxxservice[.]com
  ibmupdate[.]com
  infestexe[.]com
  kasparsky[.]net
  linux-update[.]net
  macfee[.]ga
  micros0ff[.]com
  micros0tf[.]com
  notped[.]com
  operatingbox[.]com
  paniesx[.]com
  serverbye[.]com
  sexyjapan.ddns[.]info
  symanteclabs[.]com
  techniciantext[.]com
  win7update[.]net
  xigncodeservice[.]comURLs:
  https://docs.google[.]com/document/d/1lCySd5ZNGj9Jz8pigZsuv8lciusYKqOqORpe2EOzgmU
  https://docs.google[.]com/document/d/1KJ_RJRtkKhcuJjXOCKtEOLuwH3sRi72PUhtfukncyRc
  https://docs.google[.]com/document/d/1TkTC3fHUvEBsBurZIGw7Kf5YsPjblpahlFksRDCuTo
  https://docs.google[.]com/document/d/1iQwnF3ibWPZ6-95VHrRAPrL6u_UT_K7X-rQrB7xt95k
  https://steamcommunity[.]com/id/119887132
  https://steamcommunity[.]com/id/869406565
  https://steamcommunity[.]com/id/oswal053Email Addresses:
  akbklxp@126[.]com
  akbklxp@163[.]com
  hackershby@126[.]com
  hrsimon59@gmail[.]com
  injuriesa@126[.]com
  injuriesa@163[.]com
  injuriesa@gmail[.]com
  injuriesa@hotmail[.]com
  injuriesa@qq[.]com
  kbklxp@126[.]com
  petervc1983@gmail[.]com
  ravinder10@126[.]com
  ravinder10@hotmail[.]com
  ravinder10@sohu[.]com
  wolf_zhi@yahoo[.]com
• 246 Findings From our Smart Contract Audits: An Executive Summary - a details statistical analysis of vulnerability classes discovered as part of 23 security audits with a total of 246 security findings. Data validation and access control flaws were the most common findings constituting 36% and 10% of total findings respectively. The report also points out that almost 49% of the findings are unlikely to be discovered with static or dynamic analysis tools and require a human auditor to detect.
• The Elliptic Data Set: opening up machine learning on the blockchain - background information on the recently released bitcoin transaction data set.
• Bitcoin Security under Temporary Dishonest Majority - a research study which examines several scenarios where a dishonest majority temporarily takes over the Bitcoin network.

Malware:

• Access Mining - How a Prominent Cryptomining Botnet is Paving the Way for a Lucrative and Illicit Revenue Model - a Carbon Black detailed report on a Smominru cryptominer which now started to exfiltrate data and provide remote access. The campaign has links Smominru to a separate MyKings botnet and a marketplace which sells access to infected hosts.
• Clipsa – Multipurpose password stealer - an Avast Antivirus report on a Visual Basic malware sample capable of steal cryptocurrency wallets, brute-forcing Wordpress credentials, silently changing cryptocurrency addresses in clipboard, and installing XMRig miner.
  
  Indicators:
  
  Network Indicators:
  http[:]//besttipsfor[.]com
  http[:]//chila[.]store
  http[:]//globaleventscrc[.]com
  http[:]//ionix.co[.]id
  http[:]//mahmya[.]com
  http[:]//mohanchandran[.]com
  http[:]//mutolarahsap[.]com
  http[:]//northkabbadi[.]com
  http[:]//poly.ufxtools[.]com
  http[:]//raiz[.]ec
  http[:]//rhsgroup[.]ma
  http[:]//robinhurtnamibia[.]com
  http[:]//sloneczna10tka[.]pl
  http[:]//stepinwatchcenter[.]se
  http[:]//topfinsignals[.]com
  http[:]//tripindiabycar[.]com
  http[:]//videotroisquart[.]net
  http[:]//wbbministries[.]org
  
  BTC Addresses (Clipboard replacement):
  https://github.com/avast/ioc/blob/master/Clipsa/appendix_files/btc_addresses_complete.txt
  
  ETH Address (Clipboard replacement):
  0x4966DB520B0680fC19df5d7774cA96F42E6aBD4F
  
• Saefko: A new multi-layered RAT - a Zscaler report into a new .NET malware with remote execute, keylogging, connection proxying, and data stealing capabilities. The malware is interesting because it specifically targets machines with evidence of user visiting major cryptocurrency company websites including Coinbase, Kraken, Shapeshift, Bitfinex, and others.
  
  Indicators:
  
  Md5:
  D9B0ECCCA3AF50E9309489848EB59924
  C4825334DA8AA7EA9E81B6CE18F9C15F
  952572F16A955745A50AAF703C30437C
  4F2607FAEC3CB30DC8C476C7029F9046
  7CCCB06681E7D62B2315761DBE3C81F9
  5B516EAB606DC3CC35B0494643129058Downloader URL:
  industry.aeconex[.]com/receipt-inv.zip
  3.121.182[.]157/dwd/explorer.exe
  3.121.182[.]157/dwd/vmp.exe
  deqwrqwer.kl[.]com.ua/ex/explorer.exe
  maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zipNetwork URL:
  acpananma[.]com/love/server.php
  3.121.182[.]157/smth/server.php
  f0278951.xsph[.]ru/server.php
  maprivate[.]date/server.php

Media:

• Hashing It Out #55 – Diligence – Steve Marx - an interesting podcast into the birth and mission of ConsenSys Dilligence to secure Ethereum smart contracts.

Tools:

• Crytic: Continuous Assurance for Smart Contracts - a continuous integration tool to automatically run an array of smart contract security tests.

That’s all for this busy week in blockchain threat intelligence. Stay safe and see you next week?