BlockThreat - Week 38, 2019

This week featured a couple of very interesting research papers documenting denial of service attacks targeting Lightning and Ethereum networks. More details about the EtherDelta hack from the recent indictment. There are also a number of great reports on the actors and malware behind several Monero mining malware campaigns. Finally, check out write ups on the past and schedules of the upcoming blockchain security happenings in the Events section.

Research

• Hijacking Routes in Payment Channel Networks: A Predictability Tradeoff - the paper documents a denial of service attack on the Lightning network by manipulating network routes to control the majority of the traffic. The paper also documents that 80% of the Lightning network traffic routes through only 10 nodes.
• Broken Metre: Attacking Resource Metering in EVM - the paper presents a resource exhaustion attack exploiting imperfections in the EVM opcode pricing.

Hacks

• TalkTalk hacker also breached EtherDelta cryptocurrency exchange - two suspects were indicted in connection with the EtherDelta exchange hack in December, 2017. According to the indictment, the pair was able to purchase personal data of an EtherDelta employee, likely the CEO, on the underground market. Using the obtained data, the attackers were able to take over employee’s phone number of bypass 2FA to access EtherDelta’s Cloudflare and Dreamhost accounts. According to the article, the attackers temporarily modified EtherDelta’s DNS records to proceed to steal user credentials and empty their accounts.

Crime

• Online fraud syndicate dismantled after allegedly siphoning millions from shares and superannuation accounts - details of a syndicate involved in identity theft and money laundering operations targeting Australian citizens.
• Two Arrested for Extortion of Startup Cryptocurrency Company - details of the StormX extortion plot.

Malware

• Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda” - a detailed profile of a threat actor involved in Monero mining operations. The article includes detailed indicators and TTPs.
• Crypto-mining malware saw new life over the summer as Monero value tripled - a great survey of actors and malware involved in various Monero mining campaigns throughout the year.
• Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload - a detailed report on the cryptocurrency-mining malware targeting Linux hosts. The malware unique in its use of kernel rootkit to hide mining activity from standard monitoring tools.
  
  Indicators:
  hxxp://pm[.]ipfswallet[.]tk/pm.sh
  hxxp://pm[.]ipfswallet[.]tk/pc
  hxxp://pm[.]ipfswallet[.]tk/cos7[.]tar[.]gz
  
• CookieMiner malware targets Macs, steals passwords and SMS messages, mines for cryptocurrency - an interesting article about an older cookie-stealing malware sample targeting major exchanges such as Binance, Bitstamp, Bittrex, Coinbase, MyEtherWallet, Poloniex, and any website with “blockchain” in its domain name.
• Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads - a detailed report on the Windows-based cryptocurrency miner malware. The sample spreads by attacking vulnerable MSSQL, phpMyAdmin, and Oracle WebLogic servers. It is unique in its use of WMI Event Subscription as a persistence mechanism and actively disabling its competition such as MyKings, PowerGhost, PCASTLE, BULEHERO, MALXMR, BlackSquid, and variants.
  
  Indicators:
  118[.]24[.]63[.]208
  103[.]105[.]59[.]68

Events

• #blockchainhackers IV - a blockchain security event during the upcoming Osaka Blockchain Week on October 9th.
• Congratulations Capture the Coin participants! - prize and winner announcement for the blockchain security CTF - Capture the Coin. The blog also alluded to a series of posts covering the infrastructure and challenge solutions.
• Chain CTF Heist Writeup - a write up of some of the challenges in the recently ended smart contract security CTF competition.
• Expert Roundup: DeFi Smart Contract Audits - an awesome Q&A session with a panel of smart contract security experts including Dan Guido from Trail of Bits, Hubert Ritzdorf from ChainSecurity, and Daryl Hok from CertiK.

Hope you enjoyed this week’s blockchain threat intelligence report! Stay safe and see you all next week.