BlockThreat - Week 41, 2019

What a fun week! GitLab got DoS-ed briefly with someone mining bitcoin using CI jobs, a victim of Muhstik ransomware hacked attacker’s infrastructure and droped all of the decryption keys, details of the Ethereum Dark Arts exploit are now public, and other happenings in the blockchain security world.

Hacks

• White-hat hacks Muhstik ransomware gang and releases decryption keys - a victim of the Muhstik ransomware hacked the infrastructure behind the malware to reveal decryption keys for all of its victims.
• GitLab CI abused to mine crypto - GitLab issued a service announcement about a Denial of Service attack which turned out to be someone abusing it’s CI jobs to stealthily mine Bitcoin.
• Student may have tried to hack West Virginia's blockchain election - an FBI investigation into the attempted hack of the blockchain-based voting app leads to a student at University of Michigan.

Crime

• Internet Organised Crime Threat Assessment - the topic of cryptocurrency features prominently throughout the annual Europol EC3 report. It covers the recent instances of exchange hacks, cryptomining malware, wallet theft, and others. The IOCTA report identifies “hacking exchanges and manipulating the Blockchain with 51% attacks” as a future emerging trend.
• DOJ charges cryptocurrency miner for stealing $5M worth of computing power - a Singaporean citizen has been caught buying large amounts of AWS resources to mine cryptocurrencies using stolen credit cards.
• New Phishing Sextortion Campaign Using Alternative Crypto Currencies to Evade Detection - a trend to switch to alternative cryptocurrencies such as Litecoin to avoid detection.

Vulnerabilities

• Tornado.cash got hacked. By us. - a critical bug was found in the zk-SNARK implementation of a circomlib library used by the Tornado.cash project. The bug allowed an attacker to withdraw ETH from the vulnerable contract without having a valid deposit.
• ECDSA/EdDSA side-channel vulnerabilities - side-channel attack targeting leak of the bit-length of the random nonce used to recover private keys.

Malware

• Pass the AppleJeus - an excellent write-up by Objective-See of the new Lazarus group Mac backdoor posing as a cryptocurrency trading application called JMTTrader. The sample is related to a previous report by Kaspersky - Operation AppleJeus.
  
  Indicators:
  https://www[.]jmttrading[.]org
  https://beastgoc[.]com/grepmonux[.]php
  185[.]228[.]83[.]32
  74390fba9445188f2489959cb289e73c6fbe58e4
  /Library/LaunchDaemons/org.jmttrading.plist
  /Library/JMTTrader/CrashReporter
  

Research

• (Defense Against) The Dark Arts - Contract Runtime Mutability - a presentation and exploit PoC code to demonstrate risks of smart contracts using deployed using CREATE2 instruction. The specific concerns about this instructions were presented in The Promise and the Peril of Metamorphic Contracts blog post earlier this year.
• How to 51% Attack Bitcoin - a great article about the cost of the 51% attack, potential victims, and a risk rating model relative to other assets.
• Proof of Stake’s security model is being dramatically misunderstood - a threat model of the PoS consensus mechanism and attacks against it. The article goes into the threats posed by slashing, malicious staking, risks of network centralization.
• A model for Bitcoin’s security and the declining block subsidy - a survey of known attacks against Bitcoin protocol and a threat model for declining block rewards.

Tools

• Solidity Visual Auditor Extension for VS Code - an awesome VS Code plugin to help visualize call graphs, class inheritance, and a few other useful tools for smart contract analysis.

Hope you enjoyed this week’s issue and see you next week!