The biggest crypto heist of 2017

Blockchain companies & new cryptocurrencies have been flourishing this year. Their total market cap exceeded 177 Billions dollar in 2017 as hackers interest also grew. In 2017 we witnessed quite a few large hack causing these companies loss of millions of dollars.

Even though blockchain technology is fundamentally more secure when it comes to keeping your money safe, the ecosystem around it is filled with flaws that hackers are racing to exploit.

In this article I will analyze the biggest hacks of 2017.

 

Firstly, you must understand what an ICO is, as they played a key factor in a lot of hacks this year.

An ICO (Initial Coin Offering) is a way for blockchain companies to issue a token (a “coin” or “cryptocurrency”) in order to raise funds. It’s comparable to an IPO (Initial Price Offering) with the exception that these companies are usually running the ICO before having any working products (while IPOs are usually done to expand capital of a private company).

The way this works is pretty simple. The company opens the ICO, they give their Ethereum (or other) address to the public & the public starts sending money to this address. A smart contract running in the background will take responsibility to exchange the Ether for the company’s token.

 

 

1. The Enigma ICO

The Enigma hack is one of the “funniest” ever. The hacker didn’t have to use any technical skills to steal millions of dollars from users.

Earlier this year the Ashley Madison website got hacked and the database was leaked online. The hacker simply found out that the CEO of enigma had its password leaked in the Ashley Madison hack. Luckily enough for the hacker, the CEO reused his password on several accounts such as his email & slack address.

From there the hacker proceeded to start the ICO with a little difference: he changed the Ethereum address to his own address and there was no smart contract issuing tokens behind it. As a result users sent millions of dollars to the hacker thinking they were sending their money to Enigma.

 

2. The Parity hack

According to the Github page, Parity has as goal to be “the fastest, lightest and most secure Ethereum client”.

In this case the hacker took advantage of a bug in the MultiSig wallet (A kind of wallet that supposedly adds a layer of security by requiring other users to sign a transaction before it’s broadcasted on the blockchain.) contract. It allowed him to take ownership of a wallet by sending a malicious transaction that gave him ownership. From there he was able to move all the funds to his own wallet. [(Learn more about the technical details here)](https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7)

The hacker was able to steal 153,000 Ethereum. Following the hack a group of white hat hackers proceeded to drain other vulnerable MultiSig wallets to their own wallets in order to prevent the black hat hacker to steal more funds from users. After the vulnerability was fixed they refunded users.

 

3. Coindash

Another ICO hijack. Similarly to the Enigma hack, the hacker was able to hack the Coindash website. Just 13 minutes after the ICO started the hacker managed to change the Ethereum address for his own and then calmly waited as users sent him $7 millions worth of Ether.

 

4. Veritaseum

Veritaseum is a project that “allows individuals and corporations to trade without brokers, loan without banks and contract without lawyers”

This is how Reggie Middleton, CEO of Veritaseum described the hack:

“The hackers thwarted 2FA, on two different accounts, and finagled 3rd party security among several other things. They went through quite a bit of effort; alas going through that much effort caused them to leave a breadcrumb trail as well. I hate thieves”.

Middleton refused to give more details about the hack arguing that it would only incite others to replicate it.

The loss was estimated to 8.4$ million worth of Ether.

 

5. Zerocoin

Zerocoin is a project that aims to bring anonymity to Bitcoin transactions. In February a hacker was able to exploit a flaw in the code that allows him to create tokens out of thin air. From there he proceeded to sell them on cryptocurrency exchanges resulting in an increase of price and market cap. The hacker was able to create 370,000 tokens worth 400 Bitcoins ($444,000 at the time)

 

These hacks are only the tip of the iceberg. Every day attackers are trying to hack and/or scam users by all means possible.

Here are some other tricks that hacker have been heavily used this year:

 

  • Typo squatting: Bittrex.com is one of the biggest cryptocurrency exchanges. A hacker bought domain names such as Blttrex.com (with an ‘l’), Bitrex.com etc. After the users gave their password and 2FA code the hacker would immediately log in on the real Bittrex.com website and steal all the funds from the users.

 

  • Slack Scams: Almost every project has an open slack team. It’s a great way to communicate openly but it also open the door to scammers.

 

This one is pretty clever. A user would think this message is for his own good and if you only read the domain on slack it looks completely legit even though it redirects to a fake website.

 

Another very popular scam consists of telling user about an “airdrop” for x coins holder. An airdrop is when a company decides to offer free coins to users who have been holding x coins (let’s say Ethereum for example) for some time. Usually the hackers are spreading these links on Slack and the websites are asking for your private key

 

  • Social engineering: Recently the CEO of Paragoin coin has been hacked, she lost access to her Gmail & other accounts. Hackers simply used an old trick and forced the phone company to hand them control of the CEO phone number.

 

<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">
I need a contact at gmail 🙏🏼 <a href="https://twitter.com/sundarpichai">
@sundarpichai</a> <a href="https://twitter.com/gmail">@gmail</a> 
<a href="https://twitter.com/Google">@Google</a> my email has been hacked &amp; 
for some reason no one has been able to help me. <a href="https://t.co/EnTZ94q8mu">
pic.twitter.com/EnTZ94q8mu</a></p>&mdash; Jessica VerSteeg (@JessVerSteeg) 
<a href="https://twitter.com/JessVerSteeg/status/910704808704667648">
September 21, 2017</a></blockquote> <script async src="//platform.twitter.com/widgets.js" 
charset="utf-8"></script>

 

Tips to stay safe:

 

  • NEVER give your private key, to anyone.
  • NEVER give your private key, to anyone, ever.
  • If you need to give somebody your private key, DON’T DO IT. Your private key is private for a reason. Anyone who can access your private key can steal your precious coins.
  • Keep your coins out of exchange websites.

This year we saw several crypto currency exchanges getting hacked like BTC-e & Bithumb. They were not the first and won’t be the last. I myself reported security vulnerabilities to some cryptocurrencies exchange and can tell you they’re not always the most secure. Ideally you should keep your coins on cold storage, using a paper wallet or hardware wallet such as Trezor for example. However these wallets don’t support every crypto currency but every crypto currency has its own desktop wallet that you can use and they all offer encryption and backup possibilities.

  • Don’t trust anyone, especially on slack.

Nobody wants to give you free coins, [there’s no 2FA on myetherwallet.com]. If you have a doubt always check with official sources but even then you should be careful. Twitter accounts can also be hacked. You should be extra careful on Slack as there is no identity restriction. Anyone can pose as “Vitalik Butterin” there.

  • Code-review your smart contracts & every piece of code by professionals.

If your company created a token or you’re raising fund via an ICO you should be extra careful with every piece of code. History has shown that even some code that was audited by the Ethereum foundation was found to be vulnerable. So if you’re developer that just learned solidity (Ethereum main smart contract programming language) and you’re using this as a basis for your smart contract to raise funds without reviewing it, you’re heading for disaster.

  • Passwords & 2FA

It’s obvious but you should use 2FA whenever you can & never reuse passwords. If you reuse a password that has been leaked in a previous hack (Linkedin, Yahoo etc) it’s just a matter of time before you lose your coins.

  • Don’t use your phone number as a recovery option for your email address.

Otherwise you might end up locked out of your email address like Paragon coin CEO. I would suggest creating an email that you use only for this kind of websites, create several secure backups of your credentials and using 2FA.

  • Keep your identity private

I’ve seen people on twitter posting pictures of themselves holding their ID card with a timestamp and directly asking @Bittrex to get verified… If you do that it’s only a matter of time before someone uses that picture on another exchange and potentially gets you into a lot of trouble.

,

Why we sponsor BruCON 2017? Win the last ticket!

Proud sponsor!

We are a proud Diamond sponsor of BruCON 2017 because we:

  • Believe in supporting the IT security community in Belgium.
  • Like the really excellent line-up: http://2017.brucon.org/index.php/Schedule
  • Bring our consultants to the trainings and conference: to increase their knowledge and build our community network.
  • Are on the lookout for new colleagues to join our growing team.
  • Organize the Student CTF. We engage high school and university students of non-security curricula and stimulate them to consider a cyber security career.

We also share our last sponsor ticket. These are in high demand, as BruCON sold out some weeks ago!

How to win your ticket?

Each like/retweet of our blog post on LinkedIn or Twitter before 27 September midnight (CET). These will automatically enter our draw on Thursday. The winner will be announced on Thursday.

Hope to see you  next week!

Pass by our booth to have a chat and enjoy a beer.

The Toreon team

 

 

 

 

 

Mirror, mirror on the wall. Who is the smartest of them all?

I’ve made a magic mirror. You know; a mirror that also shows text, pictures etc. It was the subject of my talk during the Hack In The Box Security Conference. It is for everybody that could use a boost of confidence in the morning, would like to save some time by reading the newspaper while brushing their teeth or simply loves to build cool things. You can check this video of my talk for a tutorial.

This project was built using a Raspberry Pi and an observation mirror combined with an unused monitor. All software used was open source.

If you try this yourself, I would love to hear about your experience!
Happy building!

Shadow Brokers: what we know and can do

Recently the Shadow Brokers group leaked a second round of tools & exploits used by the NSA. The first round was released on April 8th in a blog post by the hacking group and was mainly targeting old Linux software. This new round of exploits released on April 14 is more upsetting as it includes exploits targeting Windows NT up to 2012.

After the leak, Microsoft released a statement mentioning that most of the vulnerabilities released by the Shadow Brokers were fixed in an update on March 14.

However, not all vulnerabilities exploitable by what the Shadow Brokers released were previously patched. Oracle patched a flaw in Solaris 10 along with 298 bugs after the leak and just end of April fixed a flaw in its popular cPanel software.

Here are the most critical Windows exploits found in the leak, these all exploit vulnerabilities in the SMB & NBT protocols used for file sharing & network communications:

  • ETERNALROMANCE – SMBv1, Windows XP, 2003, Vista, 7 & 2008
  • ETERNALBLUE – SMBv2, Windows XP, 2003, Vista, 7 & 2008
  • ETERNALCHAMPION – SMBv1, Windows XP, 2003, Vista, 7 & 2008
  • ETERNALSYNERGY – SMBv3, Windows 8 SP0 & Windows 2012 SP0
  • ENGLISHMANDENTIST – Targeting Outlook/Exchange leveraging OLE in TNEF email

Here is a list of exploits & tools that were identified by researchers.

In addition to the exploits, the following malicious tools were found:

  •  ‘TOUCH’ scripts which are used to verify if a target is vulnerable
  • DANDERSPITIZ/PEEBLECHEAP, a GUI tool & Trojan (‘implant’) to interact with Windows systems. After the trojan infects the system, it will look for software such as antimalware, gather passwords & other information about the system and use the ‘TOUCH’ modules to find other vulnerable hosts on the same network. The GUI helps the user with several tasks like taking screenshots, monitor processes and logs…
  • Several Windows driver “implants” (Trojans)
  • Ripper, a tool to retrieve information from Google Chrome, Firefox & Skype
  • YAK, a driver module that can record keystrokes (key logger)
  • Tools to dump emails from Exchange servers, detect & kill antiviruses, edit or delete event logs…
The DanderSpiritz software receiving a connection from a client

The DanderSpiritz software receiving a connection from a client

Unfortunately, 0-days are a fact of life we have to face. We also see that these vulnerabilities are already actively being exploited in the wild to spread ransomware. Researchers have shared several IoC’s (indicators of compromise) that can be used to determinate if your systems have been compromised using forensic techniques.

Antivirus companies also started to update their malware signatures databases so the NSA trojans should be detected by now. However, it’s been shown that it’s trivial to bypass these detections and neither EMET 5.5 (Enhanced Mitigation Experience Toolkit from Microsoft)  or Applocker would stop the infection.

Exploiting ETERNABLUE on a Windows 7 target running EMET 5.5

Exploiting ETERNABLUE on a Windows 7 target running EMET 5.5

Therefore, we recommend running an (updated) IDS (Intrusion Detection System) such as Snort or Suricata or others.  CISCO recently published new Snort rules that you can use to detect malicious traffic generated by these exploits on your network. This however won’t detect ‘sleeping’ trojan. Researchers have also published tools to detect and decrypt traffic generated by the NSA trojan. Additionally, if you use “YARA” for malware detection, new rules have been released too.

Hardening is another practice we want to put emphasis on. These exploits are a perfect example of why you should harden your systems. As Windows 7 enables SMB by default, any new installation is vulnerable to ETERNALBLUE. Disabling services that aren’t used is a step often overlooked and can greatly reduce the attack surface.

If you’re still using Windows Server 2003 or XP and for some reason upgrading is not an option, we recommend separating this servers from the corporate network.

Do not reuse passwords on any server and put strong access control on TCP port 139 & 445. Only the clients who really need to use SMB/NBT should be able to reach these ports. This can be done using either a firewall on the host itself or a perimeter firewall.

There are several security controls to be considered. Therefore, a resilient security architecture with several layers of defence, combined with detection and reaction capabilities helps you to not only handle these 0-days efficiently, but also future vulnerabilities.

Recommendations

  • Decommission obsolete, unsupported operating system (such as Windows XP & windows 2003 servers), they are vulnerable and won’t receive patches anymore
  • Apply critical security patches as soon as possible on Windows systems (don’t forget MS17-010)
  • If you are running any of the vulnerable software, verify that these are patched and/or running the latest version
  • Immediately apply any update for SWIFT software as it’s been shown that SWIFT got compromised
  • Design and implement a layered security architecture with a combination of preventive, detective and reactive security controls
  • If you need help to identify vulnerable systems or want more information about a layered security approach, contact us

References