Cyber Pulse: Edition 189 | 05 August 2022

Blockchain platform Solana breached - $8 million and counting

Solana, an increasingly popular blockchain known for its speedy transactions, has become the target of the crypto sphere’s latest hack after users reported that funds have been drained from internet-connected “hot” wallets. An unknown actor drained funds from approximately 8,000 wallets on the Solana network, Solana’s Status Twitter account said. It’s estimated the loss so far is around $8 million. The attack — which has only affected only “hot” wallets or wallets that are always connected to the internet, allowing people to store and send tokens easily — does not appear to be limited to Solana. Justin Barlow, an investor at Solana Ventures, reported that his USDC balance was drained as well. Crypto analyst @0xfoobar confirmed that “the attacker is stealing both native tokens (SOL) and SPL tokens (USDC)… affecting wallets that have been inactive for less than 6 months.”

The attack has compromised other wallets including Phantom, Slope and TrustWallet. Initial reports suggested Solflare users were also impacted, but the company tells TechCrunch it has not been affected by this exploit. Wallets drained should be treated as compromised and abandoned, Solana warned as it encouraged users to switch to hardware or “cold” wallets. The cause of the attack remains unclear, but industry leaders including Emin Gün Sirer, founder of another popular blockchain Avalanche, pointed out that the transactions were properly signed, which means the vulnerability could be a “supply chain attack” that manages to steal users’ private keys. @0xfoobar added that “it’s likely something has caused widespread private key compromise”, and warned that revoking wallet approvals will probably not help. Edited – Original source: Solana

Cryptocurrency service drained of $200 million in Nomad hack

Cryptocurrency service Nomad suffered a "chaotic" attack on Monday and into Tuesday morning, with hackers draining almost $200 million in digital funds from the company within a few hours.  In a tweet Tuesday morning, Nomad said it is "working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics." It added that its goal is to identify the accounts that siphoned cryptocurrencies from its service and recover the money. 

“We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.”

Nomad operates a so-called blockchain bridge, which allows people to move tokens from one blockchain to another, solving the challenge of interoperability between different types of cryptocurrencies. But these technologically complex services have been prone to attacks, with hackers exploiting security vulnerabilities to steal more than $1 billion in assets so far in 2022, according to forensics firm Elliptic. One security researcher on Twitter described the Nomad attack as "chaotic" and a "free-for-all," with people swarming to drain the accounts after realizing that a security flaw meant that if they could find a valid transaction request, they could replace the other person's address with their own and effectively redirect assets to their own accounts.  Nomad blamed "impersonators posing as Nomad and providing fraudulent addresses to collect funds." The theft follows the hack of blockchain bridge Harmony in June, which lost about $100 million in the attack. These bridges are seen as especially vulnerable to hacks partly because of their relative newness and inevitable bugs and are therefore frequently targeted by cybercriminals. Recent hacks include the $320 million wormhole hack in February and the more than $600 million Ronin Network hack in March. Bridges are also susceptible to theft because they hold a lot of cryptocurrencies, making them targets for hackers, and due to their lack of decentralization and oversight, according to Elliptic. Some bridges don't require many signatures to approve a transaction, and some services have sacrificed security as they develop quickly, the group added. Edited – Original source: Elliptic

Robinhood’s crypto division fined $30 million by New York financial regulator

The New York State Department of Financial Services announced on Tuesday it has issued a $30 million penalty against Robinhood’s crypto division. NYDFS, the government branch that’s responsible for regulating financial services and products, alleged that Robinhood Crypto’s anti-money laundering and cybersecurity program was inadequately staffed and did not have sufficient resources to address risks. It also alleged Robinhood’s crypto division failed to timely transition from a manual transaction monitoring system to one more adequate for its user size and transaction volume.

“As its business grew, Robinhood Crypto failed to invest the proper resources and attention to develop and maintain a culture of compliance—a failure that resulted in significant violations of the Department’s anti-money laundering and cybersecurity regulations,” said NYDFS Superintendent Adrienne Harris.

The $30 million penalty is NYDFS’s first crypto-sector enforcement. Robinhood said last year that it was expecting to pay a $30 million settlement to NYDFS after a 2020 investigation focusing on anti-money laundering and cybersecurity-related issues. The regulator claimed Robinhood Crypto violated the law when, despite the alleged issues, it certified compliance with the department. Robinhood Crypto also allegedly breached consumer protection requirements when it failed to maintain a distinct and dedicated phone number on its website for consumer complaints. Robinhood Crypto will have to retain an independent consultant to evaluate its compliance with related regulations. Edited – Original source: DFS

Single-Core CPU Cracked Post-Quantum Encryption Candidate Algorithm in Just an Hour

A late-stage candidate encryption algorithm that was meant to withstand decryption by powerful quantum computers in the future has been trivially cracked by using a computer running Intel Xeon CPU in an hour's time. The algorithm in question is SIKE — short for Supersingular Isogeny Key Encapsulation — which made it to the fourth round of the Post-Quantum Cryptography (PQC) standardization process by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). The code was executed on an Intel Xeon CPU E5-2630v2 at 2.60GHz, which was released in 2013 using the chip maker's Ivy Bridge microarchitecture, the academics further noted. The findings come as NIST, in early July, announced the first set of quantum-resistant encryption algorithms: CRYSTALS-Kyber for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.

"SIKE is an isogeny-based key encapsulation suite based on pseudo-random walks in supersingular isogeny graphs," the description from the algorithm authors reads. Microsoft, which is one of the key collaborators on the algorithm, said SIKE uses "arithmetic operations on elliptic curves defined over finite fields and compute maps, so-called isogenies, between such curves."

Quantum-resistant cryptography is an attempt to develop encryption systems that are secure against both quantum and traditional computing systems, while also interoperating with existing communications protocols and networks. The idea is to ensure that data encrypted today using current algorithms such as RSA, elliptic curve cryptography (ECC), AES, and ChaCha20 is not rendered vulnerable to brute-force attacks in the future with the advent of quantum computers. Edited – Original source: NIST

More malicious Android apps loaded spotted on Google Play Store

Researchers from Dr. Web have discovered a handful of malicious apps posing as image-editing tools, virtual keyboards, system optimizers, and wallpaper changers on the Google Play Store. These apps were pushing intrusive ads, subscribing users to premium services, and stealing social media accounts. After installation, apps request permission for overlay windows and are added to the battery saver's exclusion list. Apps icons remain hidden from the app drawer or get replaced with a core system component, such as SIM Toolkit.

One such adware app, named Neon Theme Keyboard, is still available on the Play Store. It has over a million downloads, even with a 1.8-star score and lots of negative reviews. There are some other similar threats on the Google Play Store. A set of apps were reported packaged with Joker malware, known for levying fraudulent charges on victims' mobile numbers by subscribing them to premium services. Recently, two Facebook account stealers were seen spreading in image editing tools. These apps have been collectively downloaded by users over 1.5 million times. Android malware keeps getting more sophisticated to circumvent the Play Store’s security and persist within the network for several months. Thus, always verify apps beforehand by checking user reviews and ratings, visiting the developer's website when not sure, and, most importantly, staying aware of requested permissions. Edited – Original source: Dr Web

Investment Fraud Scam European Investors via Thousands of Fake Sites

A massive network of 11,000 domains was found promoting different fake investment scams to European users. According to researchers, more than 5,000 malicious domains are active at present. Researchers from Group-IB spotted the operation and tracked the massive network of content hosts, phishing sites, and redirections. The aim of the operation is to fool users into an opportunity for high-return investments and persuade them to deposit the least amount of $255 to register for fake services. The platforms hosted on fake domains display false evidence of enrichment and counterfeit celebrity endorsements to sound authentic.

The targeted countries are the U.K, Germany, Belgium, Portugal, Poland, Norway, the Netherlands, Sweden, and the Czech Republic. At first, the scammers make efforts to advertise their scams on different social media platforms or use hacked Facebook or YouTube accounts to reach more audiences and find potential victims. Users lured into the trick and click on the ads are redirected to landing pages with fake success stories. Subsequently, the scammers request the contact details of the victims. After that, a customer agent from a call center contacts the victim and provides more details about the social engineering scam. The victim is convinced to deposit 250 EUR (or $255) or more. If a potential victim deposits the funds, they get access to a fake investment dashboard to follow their daily gains. This is an illusion of legitimate investment asking users to deposit more amount to earn more profit. The scam is disclosed when victims try to withdraw money from the platform. Edited – Original source: IB

Germany business impacted by cyber attack

The Association of German Chambers of Industry and Commerce (DIHK) has become the target of a "massive cyberattack" forcing it to shut down all of its IT systems as well as telephones, email servers and digital services. The DIHK is a coalition of 79 chambers that represents commercial, industrial, and service-related businesses in Germany. More than three million companies, from small stores to major enterprises, are among its members. In addition to providing its members with a variety of general support services, DIHK is responsible for advocating on behalf of the business sector's interests at the national and European levels.

According to a statement posted on the DIHK website, the shutdown was implemented as a precautionary measure for security reasons to allow IT personnel time to come up with a solution to boost defences. It added that IT experts are presently working to resolve the issue and that IT systems will be gradually turned on after testing. Some services for businesses have been resumed after ensuring that they are safe to use, although complete restoration will take more time. While the security incident carries the signs of ransomware, this has not been officially confirmed yet. According to the German tech news site Heise, individual divisions in North Rhine-Westphalia, Bavaria, Lower Saxony and Mecklenburg-Western Pomerania have all been experiencing issues, suggesting that the attack's effects are widespread and not exclusive to any one area. Microsoft has identified more than 100 organisations in 42 countries that have been impacted by the attacks since the start of the Ukraine war. Edited – Original source: HEISE