Researchers Expose Key Security Weaknesses on Crypto Exchanges

  • Cybersecurity researchers exposed key flaws in cryptocurrency exchanges that could see users lose a fortune.
  • The researchers – Jean-Philippe Aumasson, cofounder of a crypto technology firm, Taurus Group, and vice president at Kudelski Security and Omer Shlomovits, creator of mobile crypto wallet, ZenGo – declined to name the exchanges at risk.

During Wired’s Black Hat Security Conference, held on Aug. 6, Aumasson and Shlomovits discussed three key flaws on crypto exchanges storage of users’ funds. According to their research, crypto exchanges are time and again falling to these weaknesses due to weak or failure to correctly implement the security protocols.

Crypto exchanges have significantly improved their security, especially in safeguarding users’ private keys. Unlike traditional bank vaults, crypto exchanges do not store all the private keys in one place to avoid a single point of failure attacks. To enhance security, the exchanges split up the private keys into different components so that no single party directly has access to the funds.

However, the “complex” procedure of securing private keys through splits raises some flaws in implementation.

One of the major flaws lies in having a malicious insider “exploiting a vulnerability in an open-source library” in one of the major exchanges, the researchers said. The vulnerability of the library arises in the refresh function. They further declined to give the name of the exchange due to security reasons.

Many of the top exchanges have a refresh function of the split private keys held by each person to prevent attackers from slowly gathering each part of the “split private key” and gaining access to the wallet funds. According to Aummasson:

“The refresh mechanism (vulnerable library) allowed one of the key holders to initiate a refresh and then manipulate the process, so some components of the key changed, and others stayed the same.”

While this would not permit the attacker to steal the funds, the exchange could permanently be locked out of access on all its funds.

The second flaw is from an unnamed digital asset management firm whereby an attacker in control of exchange would compromise the relationship between the exchange and its customers. This attack also focuses on private key shuffling, whereby the attacker draws the users’ private keys after multiple key shuffles. With the private keys, funds are in the hands of the attacker.

Finally, a key generation attack, first noticed on Binance exchange (who solved the issue partially in March). Attackers target the very beginning of the key generation process when the trusted parties derive random numbers for the ‘zero-knowledge proof” security mechanism.

In Binance’s case, the open-source library never audited or checked the random numbers, which could enable a hacker to send their random values to the “split private key” trusted parties and, in return, extract everyone’s portion of the private key – accessing the funds.

These problems stem from a person with privilege in the crypto exchanges initiating the attack, the researchers concluded.

Read Original/a>
Author: Lujan Odera

Outlaw Hacking Group Updates Toolkit To Mine Monero (XMR) And Kill Off The Competition

The cybersecurity firm Trend Micro says it has detected the Outlaw hacking group has been upgrading its stealing-from-enterprises data kit for about half a year already.

Outlaw has been very quiet since June 2019, only to become active again in December, when it started making upgrades to the stealing data kits. It seems now they’re able to target more systems, says a Trend Micro analysis from February 10. They can steal data from the finance and automotive industries.

What Else Can the Kits Do Now?

The new upgrades done by the group are for advanced techniques of breaching, scanner targets and parameters, better mining profits obtained by eliminating competition, the group’s own old miners included. According to the Trend Micro analysis, the newly developed kits attacked Unix and Linux operating systems, Internet-of-Things (IoT) devices and vulnerable servers. PHP-based web shells were also used for the hackers to gain remote access to devices.

What Are the Hackers Going For?

It seems the attacks started from a virtual private server (VPS) looking for a vulnerable device. The new Outlaw tools are looking to exploit previously developed scripts, codes and commands. Many IP addresses are used for scanning in each country, this being the reason why the group attacks only certain areas during the same time period.

Are Hackers One Step Ahead of the Game?

In June 2019, Trend Micro said it has identified a web address that spreads a botnet that features a Monero (XMR) mining component and a backdoor. The malware was also attributed to Outlaw because it had employed the same techniques as in other operations conducted by the group before.

It had Distributed Denial of Service (DDoS) capabilities and allowed hackers to monetize by offering DDoS-for-hire services and through crypto mining. More than this, only in January this year, the supposedly North Korean government-sponsored hacker group Lazarus deployed some new viruses developed to steal cryptocurrency. The QtBitcoinTrader crypto trading interface was modified and used to deliver, also to execute, the famous Lazarus’s Operation AppleJesus malicious code.

Read Original/a>
Author: Oana Ularu

Kaspersky: Lazarus Hackers To Steal Crypto Using Telegram in ‘Operation AppleJesus Sequel’

The Moscow-based cybersecurity firm Kaspersky has informed cryptocurrency users that North Korean hackers have developed new ways of delivering malware through Telegram.

Kaspersky has been looking at the latest attacks of the Lazarus Group, a North Korea-related cybercrime organization that has also conducted the AppleJesus attack on some of the most important crypto exchanges in 2018.

Lazarus Group’s Methodology Has Changed

In a research published on Wednesday, Kaspersky is saying the Lazarus Group has made “significant changes” in its methodology of attack. For example, it developed a fake crypto wallet update that is sending hackers data from users and created a Mac backdoor that goes over security without computers even knowing they are under attack.

Malware Delivered Through Telegram

A new type of attack involved delivering malware through Telegram. The research reveals the victims of this attack downloaded software with the malware and ended up sending hackers important data from their computers without even realizing they’re doing it. The channels set up by hackers were for inexistent crypto companies, with one that was recently detected to be a platform for smart cryptocurrency arbitrage. What Kaspersky researchers also discovered is that these websites had broken and incomplete links, whereas others were taking Telegram visitors. It seems the Telegram attacked victims were from China, the UK, Russia and Poland.

No One Knows Anything About Lazarus

The Lazarus Group continues to remain a mystery, as it runs the malware through computers’ memory and not their hard drive, which makes detection impossible. While the popular opinion is that the group has an affiliation with North Korea, the country has more than once denied being responsible for any cyber attack. As per an estimation made by the cybersecurity company Group-IB, Lazarus stole cryptocurrency valued at about $600 million in 2017 and for the most part of 2018.

Kaspersky thinks the attacks will continue. The Lazarus Group was put on the US Department for Treasury sanctions list back in 2019, so any financial institution discovered to collaborate with it is sanctioned. Ethereum (ETH) developer Virgil Griffith may end up for 20 years in prison, as he was indicted by US authorities this week, for holding speech at a conference in North Korea.

Read Original/a>
Author: Oana Ularu

Researchers Exploit Canon DSLR Camera and Demand Bitcoin Ransomware in Latest Hack Attack

Cybersecurity researchers are always looking for flawed systems in order to expose vulnerabilities. The latest effort was made by a group of researchers who hacked a Canon EOS 80D DSLR camera in order to test a ransomware scheme.

The researchers from Check Point Research used the Picture Transfer Protocol (PTP) of the camera in order to exploit the system and hold all the photos away from the user. PTP services are generally used to transfer images and can be exploited in order to prevent the user from doing it.

Many new cameras have it as you can transfer photos using WiFi instead of a USB device, but this opens up a breach that hackers can you to take your photos and then ask ransomware for them if you ever want to have them back.

If a hacker is able to put malicious code into the camera, he can take control of the pictures and then demand ransomware. During their tests, the researchers discovered a way of doing it to encrypt the storage systems of the device.

After that, they could contact the victims and offer the keys to decrypt the camera’s files in exchange for money.

The researchers affirmed that hackers have achieved a moderate level of success with this kind of threat, especially by targetting photographers and other people who rely a lot on photos.

Canon developers were warned about the vulnerability this year, so they patched it up before Check Point Research made it public. Because of this, at the moment, the hack is not supposed to work on any kind of model in the market.

Read Original/a>
Author: Gabriel Machado

Zscaler ThreatLabZ Discovers New Saefko Remote-Access Trojan (RAT) Malware Targeting Crypto Users

Cybersecurity experts at the Zscaler ThreatLabZ have recently identified a new malware. This remote-access trojan is known as Saefko and it uses the browser of the victim in order to look for crypto-related history. The trojan was created for the popular Google Chrome browser.

The goal of the malware, which can be found for sale on the deep web, is to gather information about credit cards, cryptos, and other financial-related activity.

After the activity is found, the malware acts as a sort of a backdoor that can enable the criminals to control the victim’s computer and use it to make transactions, therefore stealing the money.

As soon as the device is infected by the malware, not only the information is gathered, but criminals are able to control hard drives, use the webcam, take screenshots and more.

The malware uses a large database of crypto-related sites in order to discover if the person is interested in cryptos. In affirmative cases, it proceeds to gather information in order to crack the defenses of the holder and steal the cryptocurrency.

According to the researchers, you can be protected from this threat with the usual ways, though. Avoiding to download any kind of file from untrusted sources, monitoring any kind of outgoing traffic from your computer and blocking unused ports. Antivirus programs can also be used to help be protected from this kind of danger.

Unfortunately, the malware is very stealthy, so it can be hard to determine if it has infected the computer before any of the damage is done. Because of this, being careful is important so that you will not be infected in the first place.

Read Original/a>
Author: Bitcoin Exchange Guide News Team

New Avast Report Details How Clipsa Crypto Stealing Malware Was Blocked Over 360k Times In Past Year

A-Crypto-Stealing-Malware-Was-Blocked-Over-360k-Times-In-The-Last-One-Year

Cybersecurity company Avast says that a crypto stealing malware has so far been blocked over 360,000 times by its security software, the Nextweb reports.

Referred as Clipsa, the malware is said to be a multipurpose password stealer and can steal or launch crypto-mining albeit illicitly.

According to Avast Clipsa has the capability to replace a crypto address if the system is infected and the malware directs the funds to another destination owned by the hackers.

The malware is also believed to deploy XMRig which is a crypto-mining script which runs surreptitiously on the affected systems. The cryptos mined is believed to be forwarded to the hackers’ wallet address.

According to security experts in Avast, the malware is believed to be originating from malicious codec installers that come with media players.

India is said to be the primary target of the campaign and Avast says it successfully blocked over 43,000 Clipsa infection attempts within the Asian country. Over 28,000 users were affected by these attacks.

Philippines and Brazil have also recorded high attacks as the security company claims that about 15,000 and 13,000 users from the two countries were infected respectively.

The cybersecurity company says that from August 2018 to July 2019, it blocked the malware from infecting computer systems over 360,000 times and protecting over 253,000 clients in the process.

It is believed that the number of people affected by the malware could be higher as the figures given are just from one security company.

Increased awareness about the Clipsa malware has seen instances of attacks decrease over the last few months. The malware attacks were very prevalent by the end of last year but the attacks have been on a decreasing trend since the start of the year.

Despite its prevalence reducing, the developers behind the malware have succeeded in stealing some cryptocurrency from innocent users. According to Avast, the hackers were successful in netting about 300,214,005 Satoshis or an equivalent of about 3 Bitcoin worth about $36,700, going by the current market rate.

Read Original/a>
Author: Joseph Kibe