BlockThreat - Week 40, 2019

Never a dull week in blockchain security! Algo Capital looses $2 million after CTO’s phone gets hacked. The train-wreck that is FairWin has come to its expected end with the contract now sitting empty. High-severity vulnerabilities reported in Cosmos Tendermint protocol and multiple popular Ethereum smart contracts. A number of great security tools and research articles were also published this week including the long-awaited Smart Contract Security Verification Standard.

Hacks

• Algo Capital Loses Crypto Funds After CTO’s Phone Is Hacked - up to $2 million were stolen from Algo Capital’s hot wallets after CTO’s phone was compromised.
• How we’re resolving the issues with the ENS short-name auctions - an input validation vulnerability in the Ethereum Name Service (ENS) smart contract allowed an attacker to claim a number of highly sought-after names. This one has a happy ending where the attacker returned all of the stolen ENS domain names.

Crime

• Former NiceHash CTO Arrested in Germany Over US Hacking Charges - Matjaz Skorjanec has been arrested for his role as a founder of the Darkode forum and an operator of the Mariposa botnet.

Vulnerabilities

• Cosmos Mainnet Security Advisory Magenta - a high-severity vulnerability was reported in the Tendermint consensus protocol behind the Cosmos network. No additional details were published about the vulnerability. All network operators are advised to urgently update their nodes.
• MakerDAO - Steal ALL collateral during liquidation by exploiting lack of validation in `flip.kick` - a high-severity vulnerability was reported in the MakerDAO contract which allowed an attacker to steal all collateral stored in the MCD system during the liquidation phase.
• Taking undercollateralized loans for fun and for profit - an awesome report on several attacks against decentralized trading protocols such as DDEX and bZx by abusing on-chain decentralized oracles.

Research

• CrowdStrike - Observations from the Front Lines of Threat Hunting - a detailed state of security report by Crowdstrike reveals latest trends in malware and threat actors. The report identifies two banking trojans and a number of cryptocurrency mining malware most frequently used in nontargeted attacks. The report also outlines crypto-locking ransomware continuing to be a popular money-making scheme for financial actors.
• Smart Contract Security Verification Standard (SCSVS) - a new security standard for smart contract security assessments. Inspired by similar standards developed by OWASP, Microsoft, NIST, and other organizations the standard aims to bridge the gap for smart contract security. It covers 13 different assessment categories including Architecture, Access Control, Data and Communication confidentiality, common vulnerabilities such as arithmetic bugs, input handling, and others.
• EOS Network Congestion by DDoS Analysis - a practical analysis of a denial of service condition on the EOS network. The study illustrates just how little it takes to cause major congestion on the network and freeze users’ accounts. Incidentally, the upcoming EOSIO fork will be removing free network resources to make future attacks like the one described in the article and EOSPlay more expensive.
• The Collapse of FairWin’s ~$125m Ponzi Scheme - a detailed timeline of events surrounding the now defunct Ponzi scheme which was eating up significant resources on the Ethereum network.
• Reasons Why Quantum Supremacy Won’t Threaten Bitcoin - an analysis of the threat posed by Google’s recent announcement and its practical implications.

Malware

• The MasterMana Botnet: Anatomy of the $160 Dollar Hack - a detailed malware and actor report behind the MasterMana botnet. The actor (likely related to the Gorgon Group) was harvesting users’ credentials as well as cryptocurrency wallets using a commodity malware AZORult and Revenge Rat readily available on Russian forums.
  
  Indicators:
  hxxp://216[.]170[.]126[.]146/2ky/index.php
  hxxp://216[.]170[.]126[.]146/ahsan/index.php
  hxxp://23[.]249[.]163[.]135/index.php
  hxxp://speeddfox[.]duckdns[.]org
  hxxp://rgalldmn[.]duckdns[.]org
  
  See article for additional indicators.
• Casbaneiro: Dangerous cooking with a secret ingredient - a malware analysis of a banking trojan targeting various financial and cryptocurrency organizations in Latin America. The malware is capable of traditional backdoor functionality as well as additional modules used to steal user credentials, sending emails, and replacing cryptocurrency addresses in the clipboard.
  
  Indicators:
  
  hostsize.sytes[.]net:7880
  agosto2019.servepics[.]com:2456
  noturnis.zapto[.]org
  4d9p5678.myvnc[.]com
  seradessavez.ddns[.]net:14875
  
  Bitcoin Wallet: 18sn7w8ktbBNgsX8LeeeLMqKS84xMG54si

Tools

• Brownie: Evaluating Solidity Code Coverage via Opcode Tracing - a new framework for Ethereum smart contract testing through code coverage analysis.
• VeriMan Project - a new analysis tool for Solidity smart contract. It helps instrument VeriSol, Manticore, and optionally Echidna to effectively discover vulnerabilities through counterexample discovery and fuzzing smart contracts. You can download the tool source here.

That’s all for this week in blockchain threat intelligence. I hope you enjoyed this issue and feel free to join /r/BlockSec for more regular news updates.