BlockThreat - Week 37, 2019

There were a number of interesting vulnerability reports in various blockchains and smart contracts this week. Check out the detailed incident report on a 30k EOS theft which also caused major EOS network outages. U.S. Treasury published a sanctions report targeting several North Korean actors well known for their hacks of cryptocurrency exchanges.

News

• Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups - OFAC sanctions targeting several North Korean actors targeting SWIFT messaging system, financial institutions, and cryptocurrency exchanges. Three actors were named in the news release: Lazarus Group, Bluenoroff, and Andariel.

Hacks

• EOS congestion 9/13/2019 and EOSPlay hack - a detailed incident report on the RNG hack of EOSPlay which resulted in 30,000 EOS (about $120k) theft and major network outages. The vulnerable contract used EOS blockchain itself as a source of entropy which is not sufficient.
  
  Indicators:
  
  Attacker’s EOS accounts:
  mumachayinmm
  gotoworkhome
  mumachayinm1
  mumachayinm2
  mumachayinm3
  mumachayinm4
  mumachayinm5
  
• Operation: CryptoKitty Rescue - a fun research article where the good guys had to devise ways to race an attacker to recover assets from a compromised smart contract. No kitties were hurt in the making of this paper.

Vulnerabilities and Hacks

• Lightning Network vulnerabilities actively exploited - in a follow up to notification last week, Lightning Labs has shared the vulnerabilities were exploited in the wild and urged node operators to upgrade. There are still no details available about the nature of the three CVEs.
• Libra’s Move IR Compiler Vulnerability: Technical Description - an interesting vulnerability in the Libra’s Move language compiler which that exploited the way line break characters were parsed to embed malicious logic in source files. The bug was reported by the Open Zeppelin team.
• Maker DAO Collateral Theft - a vulnerability in the end contract allowed users with DSR deposits to steal collateral in case of a shutdown (e.g. when migrating to a new contract). The bug was reported on Hacker One and earned $25,000 bounty.
• Critical Vulnerability in a New AirSwap Smart Contract - a vulnerability was discovered and patched in the AirSwap smart contract which allowed an attacker to perform swaps without a counterparty signature.
• The “Mortality” of a Transaction - a report on a unique vulnerability for Polkadot network which allowed transaction replay by resetting address nonces.
• NavCoin – Bypassing Header Spam Protection - details of a Denial of Service vulnerability in NavCoin.

Malware

• InnfiRAT: A new RAT aiming for your cryptocurrency and more - a malware analysis report on a new malware family capable of stealing credentials and cryptocurrency wallet data.
  
  Indicators:
  rgho[.]st/download/6yghkhzgm/84986b88fe9d7e3caf5183e4342e713adf6c3040/df3049723db33889ac49202cb3a2f21ac1b82d5b/peugeot.zip
  tcp://62[.]210[.]142[.]219:17231/IVictim

Community

• Smart Contract Security Newsletter - check out this excellent newsletter with a focus on Ethereum smart contract security published by Maurelian from Consensys Dilligence. The latest edition dives into the security concerns posed by the upcoming Istanbul upgrade.
• BlockSec Community - a dedicated subreddit to share and discuss blockchain security news, events, vulnerabilities, etc. The community has similar goals to this newsletter, but offers a more frequent cadence to disseminate information.

That’s all for this week in Blockchain Threat Intelligence. Stay safe and stay informed!