Cyber Pulse: Edition 131 | 28 September 2020

Here is our cyber security news round-up of the week:

Major KuCoin cryptocurrency theft

Singapore-based cryptocurrency exchange KuCoin disclosed a major security incident: hackers breached its hot wallets and stole all the funds to the tune of around $150 million. Deposits and withdrawals have been temporarily suspended while the company is investigating the security incident. A statement published by the company reads:

“We detected some large withdrawals since September 26, 2020 at 03:05:37 (UTC+8). According to the latest internal security audit report, part of Bitcoin, ERC-20 and other tokens in KuCoin’s hot wallets were transferred out of the exchange, which contained few parts of our total assets holdings.”

"Hot wallet" refers to any cryptocurrency wallet that is connected to the internet, and for this reason, they are more exposed to cyber attacks. Hot wallets are used as temporary storage systems for assets that are currently being exchanged on the exchange.

"Cold storage" refers to any cryptocurrency wallet that is not connected to the internet, and for this reason, they are considered more secure. They usually don’t contain as many cryptocurrencies as do many of the hot wallets.

KuCoin discovered the security breach on 26 September when its staff noticed some large withdrawals from its hot wallets. The exchange immediately investigated the anomalous operations and discovered the cyber heist of Bitcoin assets, ERC-20-based tokens, along with other cryptocurrencies. The overall amount of funds stolen by the hackers is greater than $150 million, based on an Etherium address where the stolen funds were transferred.

Hungarian financial institutions and telecommunications hit by DDoS attack

A powerful distributed denial of service (DDoS) attack hit some Hungarian banking and telecommunication services, briefly disrupting them. According to telecoms firm Magyar Telekom, the attack took place on Thursday and they revealed that the attack was very powerful – in fact, it's one of the biggest cyberattacks that ever hit Hungary. The volume of data traffic in the attack was 10 times higher than the amount usually seen in DDoS events, Reuters news agency reported. The attack was able to disrupt the services of some of the banks in the country causing temporary interruptions in Magyar Telekom’s services in certain parts of the capital, Budapest. The cyber attack was also confirmed by the Hungarian bank OTP Bank in a statement:

“There was a DDoS attack on telecom systems serving some of the banking services on Thursday.. We repelled the attempt together with Telekom that was also affected and the short disruption in some of our services ended by Thursday afternoon.” 

Microsoft’s Bing mobile apps data leak

Microsoft’s Bing mobile apps, available on Android and iOS, have been the victim of a data leak. Security researchers found an Elastic server that had its password protection removed, reportedly as a “misconfiguration” of the server, which resulted in 6.5TB of search data being made available publicly on the internet, which grew by up to 200GB per day.

The researchers found the unprotected server on 12 September, although the authentication is estimated to have been removed two days prior. After discovering the data was coming from Bing’s mobile apps, by performing a search themselves and seeing it appear in the data, the researchers contacted Microsoft on 13 September, and the information was given to Microsoft’s Security Response Centre, which acted to resolve the problem a few days later.

The data leak has exposed a trove of data that Microsoft collects from users who use the Bing mobile apps. The data include:

• Search terms (excluding any searches in ‘private’ mode)
• GPS coordinates (if location permissions are enabled, with a ~500-metre accuracy)
• Date and time of the search
• Firebase notification tokens
• Coupon data
• Partial list of the URLs visited by the user from the search results
• Device model
• Operating system
• 3 unique identifiers, including:
  • ADID: possibly an identifier for a Microsoft Account
  • deviceID
  • devicehash

None of the data was encrypted.

Banking trojan Cerberus attacks increase

The release of the Cerberus trojan source code has, as predicted, been followed by an increase in attacks using the banking trojan, researchers report. Apparently, despairing of getting their reserve price in an online auction that didn’t work out to their satisfaction, and faced with the difficulty of maintaining the malware as the gang broke up, the managers of Cerberus last week released their source code online. The result has been an immediate rise in mobile application infections and attempts to steal money from consumers in Russia and across Europe, as more and more cybercriminals acquire the malware for free. Researchers are seeing the same sort of jump in functionality and usage they observed when Anubis went public last year.

Legacy Windows source code leaked

The source code for Windows XP SP1 was leaked online today as a torrent. The person behind the leak claims he spent two months collecting the 43GB source code and leaked it today on the 4chan forum as a torrent.

The leaked files, confirmed by security researchers, contains not only Windows XPs code but also that of Windows Server 2003 and other older versions.

Files in the torrent include:

• MS-DOS 3.30
• MS-DOS 6.0
• Windows 2000
• Windows CE 3
• Windows CE 4
• Windows CE 5
• Windows Embedded 7
• Windows Embedded CE 
• Windows NT 3.5 
• Windows NT 4

Even though Windows XP was released 20 years ago, if any code is used in the present versions of Windows then it could very well be threatening. With the source code, it becomes easier to know how Windows is run and if a big issue exists in XP and the same code is used in Windows 10, then hackers could exploit this vulnerability.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.