Last Week In Blockchain and CyberSecurity News - April 30, 2019

<br />

Bitfinex Used Tether Reserves to Mask Missing $850 Million

iFinex, the company behind the cryptocurrency exchange Bitfinex and stablecoin Tether is being investigated by the New York state attorney general’s office. Attorney General Letitia James’ office said on Thursday they are looking into how iFinex lost $850 million through a deal conducted with Panama-based Crypto Capital. Reportedly. When it became evident the $850 million was not going to be returned, “iFinex is said to have taken at least $700 million from the reserves that back Tether, which is pegged against the U.S. dollar.” (TechCrunch). This situation was not declared to investors; Attorney General James argued that the use of Tether’s cash reserves was used to hide Bitfinex large, undisclosed losses, along with other issues. Another accusation against iFinex states that they allowed “New York-based investors to use Bitfinex to trade Tether without holding a license to operate in the state of New York.” In response, iFinex declared “the New York Attorney General’s court filings were written in bad faith and are riddled with false assertions.” It will be interesting to see how this situation unravels.
Read more

A ‘Blockchain Bandit’ Is Guessing Private Keys and Scoring Millions

Last week, a security consulting firm Independent Security Evaluators published a report on private keys for the Ethereum blockchain. In the statement, Adrian Bednarek, a senior security analyst, said he discovered a ‘blockchain bandit” that has managed to gather up almost 45,000 ETH by successfully guessing weak private keys. Bednarek stumbled upon this discovery after he searched for private keys that might have had the value of 1. He discovered a wallet with this private key and checked to see if other similar and unsecure private keys exist, and they did. Bednarek noticed the funds to similar accounts had been emptied, which “led him and his firm to write a program that checked billions of accounts and discovered that there were a large number of unsecure” private keys. According to the report, his tactic included a combination of looking for incorrect code and faulty random number generators, rather than using a brute force search for random private keys. “Bednarek then noticed how some of the wallets associated with the private keys found with their suboptimal methods had high volumes of transactions going to a single address, with no money coming back out” When Ethereum’s value reached its peak, it is estimated that the bandit’s haul would have been more than $50 million.

Read the report here

Hackers Breached a Programming Tool Used by Big Tech and Stole Private Keys and Tokens

Get more information here

Hackers Used Microsoft Email Accounts to Steal User’s Cryptocurrency

The breach that affected Microsoft’s email services like Outlook, Hotmail and MSN have allegedly given hackers access to several cryptocurrency wallets. Hackers have used the breached email accounts to reset exchange passwords and then siphon cryptocurrency located on the exchange wallets. One victim on a Dutch tech forum claimed they lost over 1 bitcoin (~$5,400 at the time). Others have experienced similar issues and have complained on social medias such as Reddit and Twitter. Microsoft’s hack allowed hackers to access email metadata, read email content, and much more. This incident shines a light on the importance of utilizing 2-factor authentication with applications such as Google Authenticator or Authy to further secure sensitive information.

P2P Flaws Expose Millions of IoT Devices to Remote Attacks

A researcher discovered a flaw in a peer-to-peer system named iLnkp2p that exposes millions of cameras, smart doorbells, and other Internet of Things (IoT) devices to remote attacks from the internet. The researcher, Paul Marrapese, stated that devices marketed under hundreds of brands, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, and more are affected by the flaw. These products can include cameras, baby monitors and more. Marrapese identified over 2 million vulnerable devices throughout his research. He identified two vulnerabilities, the first being “CVE-2019-11219, which is an enumeration issue that allows an attacker to discover devices exposed to the Internet quickly. The second flaw, CVE-2019-11220, can be exploited to intercept connections to affected devices and conduct man-in-the-middle (MitM) attacks. This allows a malicious actor to obtain a device’s password and hijack it.” Combining both vulnerabilities can be used together to launch large, coordinated attacks against the IoT devices. According to the researcher, “39% of the vulnerable devices are located in China, 19% in Europe, and 7% in the United States.” There is currently no patch available for the vulnerabilities.