Last Week In Blockchain and CyberSecurity News - February 19, 2019

Cryptocurrency-Hijacking Malware ‘Clipper’ Discovered On Google’s Play Store

A new type of cryptocurrency stealing application was found lurking in the Google Play store last week. The malicious app is designed to steal cryptocurrency from victims by replacing a wallet address in the phone’s clipboard. The “clipper” malware is the first of its kind legitimized by an official app store(it is usually available on shady third party websites). It was first seen in an impersonation of MetaMask, “a full-browser extension that allows a web-browser to run Ethereum applications without the full node”(Aakash). Once downloaded, the app prompts the user to access their wallets using their seed phrase and a private key. The malware keeps track of the copy-paste clipboard on the affected system and corresponds those values to the alpha-numeric code of the user’s cryptocurrency address. As the addresses tend to be long and complex, many use the copy and paste clipboard to conduct various transactions. Once the malware identifies the wallet address, it changes the original address to a preset address, thus tricking users into sending transactions to the hacker’s account. As clipper malware is gaining traction, users must be diligent. Double checking every step in transactions, and verifying software related to wallets is essential.

Get more information here

New TLS Encryption-Busting Attack Also Impacts The Newer TLS 1.3

A new cryptographic attack that can break encrypted TLS traffic was revealed last week, and can be used to steal data previously considered safe and secure. The attack, dubbed downgrade attack- works against the latest version of the TLS protocol 1.3 released last spring. The attack is considered to be a variation of the original Bleichenbacher oracle attack. Many attack variations appear as the “authors of the TLS encryption protocol decided to add countermeasures to make attempts to guess the RSA decryption key harder, instead of replacing the insecure RSA algorithm”(Catalin). Many hardware and software vendors have failed to follow numerous countermeasures TLS encryption protocol authors have established. Failure to follow updates result in various servers, routers, firewalls, and VPN’s to be vulnerable to Bleichenbacher attack variations. The new attack "leverages a side-channel leak via cache access timings of these implementations” researchers said.

Read more about the attack here

Major Crypto Brokerage Coinmama Reports 450,000 Users Affected by Data Breach

One of the largest crypto brokerages, Coinmama, experienced a security breach on February 15th. With 1.3 million active users, Coinmama allows users to purchase Bitcoin and Ethereum using a credit card. This incident comes as part of a larger breach which includes a multi-platform hack that affected 24 companies and a total of 747 million records. According to a statement distributed by Coinmama, a list of around “450,000 email addresses and hashed passwords” of users who registered on its platform before Aug. 5, 2017, have been posted on a dark web registry(Marie). It is highlighted that no cryptocurrencies were stolen from user wallets and that Coinmama is currently investigating the attack.  Other websites included in the multi-platform hack include Coffee Meets Bagel and MyFitnessPal. Many of the sites affected by the breach were running PostgreSQL database software, and once the hacker found a way to break into the system, the hacker downloaded the database across a wide range of sites.

Read more about the breach here

TrickBot Banking Trojan Now Steals RDP, VNC, and PuTTY Credentials

The banking Trojan Trickbot(also known as Trickster, TheTrick, and TrickLoader) has resurfaced with updated information stealing modules. Its upgraded abilities allow it to grab credentials used to authenticate to remote servers using VNC, PuTTY, and Remote Desktop Protocol (RDP).  The trojan is being spread throughout numerous spam emails, some that include tax-incentive lures pretending to be from Deloitte. The emails promise help with changes to new tax laws and include an attached file. Once downloaded, Trickbot will download to the victim’s computer. Trickbot will subsequently download other TrickBot modules responsible for a wide range of operations. Actions include “ sending malicious spam emails from hosts it has infected to a self-propagation worm module designed to spread the malware to other computers on the same network” (Sergiu).  As the new modules steal credentials from the Virtual Network Computing (VNC), PuTTY and Remote Desktop Protocol (RDP) platforms, it becomes a threat for business organizations as they are widely used.

Read more about Trickbot here

Collection of 127 Million Stolen Accounts Up for Sale on the Dark Web

Data such as names, email addresses, scrambled passwords, and more were stolen and put up for sale on various hacker forums. According to TechCrunch, the specific listing included:

  • 18 million records from travel booking site Ixigo

  • Live-video streaming site YouNow had 40 million records stolen

  • Houzz, which recently disclosed a data breach, is listed with 57 million records stolen

  • Ge.tt had 1.8 million accounts stolen

  • 450,000 records from cryptocurrency site Coinmama.

  • Roll20, a gaming site, had 4 million records listed

  • Stronghold Kingdoms, a multiplayer online game, had 5 million records listed

  • 1 million records from pet care delivery service PetFlow

The hacker stated some websites used an outdated MD5 hashing algorithm for the passwords- which is easy to unscramble. The hacker is selling the information listed for about $14,500 in bitcoin. By exploiting the PostgreSQL database software many websites fell prey to the vulnerability, allowing the hacker to “dump” the database to a file, and download it. Incidents like these serve as an important wake-up call regarding the drastic effects lack of maintenance of servers/databases may lead up to. Stolen password and login information can be extremely valuable to cybercriminals for Credential Stuffing attacks, or various types of analysis.

Read more about the stolen accounts here