 |
Crypto-Sec is a bi-weekly roundup of cryptocurrency and cybersecurity related stories and tips.
Biggest phishing incident of the week: Attackers target Hedera users
On June 26, Hedera’s marketing emails were compromised, with attackers sending phishing emails to team subscribers. Hedera is the developer of Hedera Hashgraph, a proof-of-stake blockchain network launched in 2018.
The team acknowledged the hack in a post on X, warning users not to follow any links in emails sent from marketing@hedera.
The email marketing@hedera has been compromised. Do not open emails or links from this address. We will contact you shortly with further details.
— Hedera (@hedera) June 26, 2024
Phishing is a technique where an attacker pretends to be a trusted source and tricks the user into providing information or performing an action desired by the attacker. In this case, the attacker used a compromised Hedera email to impersonate a representative of the development team.
The team has not yet revealed what is contained in the phishing email. However, most cryptocurrency phishing emails offer users attractive rewards, such as token airdrops, if they click on a link that takes them to the attacker’s fake website, which often appears to come from a trustworthy source. When a user connects to the website with their wallet, they will be prompted to approve tokens to receive the airdrop.
But instead of the user getting an airdrop, this approval allows the attacker to empty the user’s wallet. Users should be especially careful when clicking on links in emails. Even if the email appears to come from a trustworthy source. As the Hedera example shows, even trusted email addresses can be hacked or spoofed.
The Hedera team promised to provide more details soon. Cointelegraph was unable to confirm how much cryptocurrency was lost to phishing emails at the time of publication.
White Hat Corner: MoveIt File Transfer Vulnerability Patched
According to an official notice from the software development team, security researchers have discovered a critical vulnerability in the MoveIt file transfer software developed by Progress. However, the vulnerability has been patched in the current version.
Some large companies use MoveIt Transfer to transfer files between employees. These files may contain customer data, private keys, or other sensitive information. According to a report by cybersecurity firm Watchtower Labs, the vulnerability could allow an attacker to impersonate any user on the corporate network as long as the attacker knows the user’s username.
To carry out the attack, the hacker had to provide a username to the server. In response, the server requested the user’s private key. But instead of generating a real key (which the attacker probably wouldn’t know about), they could have provided a path to a file containing a fake key they had generated themselves.
Due to a peculiarity in the way MoveIt software handles this situation, it generates an empty string as the public key, which makes it appear as if authentication has failed. However, Watchtower found that although authentication generates an error message and appears to have failed, the critical “statuscode” variable, which is used to block errant users, is treated as if the attacker had properly authenticated.
Also read
characteristic
Crypto-Sec: $11M Bittensor Phishing, UwU Lend and Curve Fake News, $22M Lykke Hack
characteristic
‘Cryptocurrency is inevitable’ so we went ‘all in’: Meet perpetual bull Vance Spencer
As a result, the attacker will have access to any files the actual user has access to, allowing them to obtain sensitive client or customer data.
Progress was made with the vulnerability being patched on June 25th. However, some businesses may not have upgraded to the latest version yet. “We strongly advise all MOVEit Transfer customers using versions 2023.0, 2023.1, and 2024.0 to immediately upgrade to the latest patch version,” the developer said.
The company said MoveIt Cloud is not affected by the vulnerability, as it has already been patched.
address poisoning attack
Blockchain security company Cybers detected a large-scale address poisoning attack on June 28. The victim lost $70,000 worth of USDT.
The attack began on June 25, when the victim transferred 10,000 USDT to a Binance deposit address starting with “0xFd0C0318” and ending with “1630C11B”.
Shortly afterwards, the attacker sent 10,000 fake USDT from the victim’s account to an account under the attacker’s control. This transfer was made without the victim’s permission, but was successful because the fake tokens contained a malicious transfer function.
The address to which these fake tokens were sent started with “0xFd0Cc46B” and ended with “6430c11B” and contained the same first six and last four letters as the victim’s Binance deposit address. The attacker most likely used a vanity address generator to generate addresses similar to this.
Two days later, on June 27, the victim sent 70,000 USDT to this malicious address. The victim probably cut and pasted the address from his transaction history and tried to deposit the funds into Binance. However, Binance never received the funds, and they are now in the hands of the attackers.
The Tether development team may freeze wallet addresses holding USDT. However, we typically only freeze addresses at the request of law enforcement. At the time of publishing, these wallets still hold USDT and have not yet exchanged them for other tokens, so the freeze may have already occurred. If the address has not yet been frozen, there is still time to file a complaint and victims may even get their funds back.
However, it is possible for an attacker to exchange USDT for Ether or another cryptocurrency before the address is frozen, making it much more difficult to recover the funds.
Cryptocurrency users should be aware that some wallet applications load transaction history directly from the blockchain. As a result, transactions may appear to be made by users when in fact they are made by third parties. Users are advised to check all characters in the address, not just the first and last characters, before sending a transaction.
Unfortunately, this user may have learned this lesson at a high price. This mistake could leave you $70,000 poorer.
Centralized Exchange
On June 22, the Istanbul-based cryptocurrency exchange BtcTurk was compromised via stolen private keys. The exchange acknowledged the attack the following day. According to Google Translate, part of the statement reads, “Dear users, our team has detected a cyberattack on our platform on June 22, 2024, which has resulted in uncontrollable (losses).”
The exchange said the attack only hit hot wallets and that most of its assets remain safe. It also claimed that users had sufficient “financial power” to compensate for their losses and that customer balances would not be affected.
Cybersecurity firm Halborn estimated that BtcTurk lost more than $55 million in the attack.
According to on-chain detective ZackXBT, the attackers appear to have deposited 1.96 million AVAX ($54.2 million) into centralized exchanges Coinbase, Binance, and Gate.com, which were later converted into Bitcoin. This is because almost the same value of BTC was removed from these exchanges shortly after the AVAX was deposited, according to on-chain data.
AVAX fell 10% as a result of this swap.
The reported attacker deposits to or from a centralized exchange. Source: (ZachXBT, Telegram)
Following the attack, BtcTurk launched a new hot wallet that uses private keys that are not under the attacker’s control. The exchange strongly advised users not to use their old deposit addresses. This is because funds sent to users can potentially be stolen by attackers. Instead, users must deposit using the new address found in the app interface.
Subscribe
The most interesting articles on blockchain. Delivered once a week.
Christopher Locke
Some say he is a white hat hacker living in the black mining hills of Dakota, pretending to be a children’s crossing guard to avoid the NSA’s eyes. What we do know is that Christopher Locke has a pathological desire to hunt scammers and hackers.