Hacking of crypto currency account using social engineering

Social engineering attacks for compromising crypto currency can be very sophisticated, as the reward can be very large.

This recent 2024 case involved 4,064 BTC with value of about $239MM (BTC transaction hash 4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090). The steps of the attack included: 

(1) Calling the victim as Google Support via spoofed number to compromise its Gmail personal account,  

(2) Calling the victim as purported Gemini exchange support claiming that its account was hacked, 

(3)  persuading the victim into resetting 2FA and sending funds from Gemini exchange wallet to a compromised non-custodial wallet, and finally 

(4) persuading the victim to share his screen to steal private keys to that compromised wallet.

The stolen 4,064 BTC were first split equally into two wallets, and then, after a few hops, into 6 wallets. As the next step, each of these six wallets implemented a peeling chain with dozens and hundreds of hops at the end of which the stolen funds were transferred to more than 15 centralized crypto exchanges. Some of the stolen BTC funds were also swapped through Thorswap Finance DEX into LTC, ETH and XMR (privacy coin Monero). Some of the funds have already been frozen by exchanges and recovered, while some of the funds have been located in non-custodial wallets (for example, more than $60MM current value are sitting in two non-custodial ETH addresses).

In a similar, but smaller-scale attack in 2022, the hacker targeted a Crypto.com user, and followed the following steps:

(1) Took over the victim's email account, most likely by obtaining the password from a database of hacked account.

(2) Observed transaction confirmations from Crypto.com to gain intelligence about the user's holdings.

(3) Obtained the user's PIN for the Crypto.com App.

(4) Played man-in-the-middle between Crypto.com and the victim Request a security reset on Crypto.com to get a one-time code. Sent email, pretending to be from Crypto.com, to the victim claiming his account is compromised and needs to have a security reset. Asking for a picture of the victim holding a piece of paper with a one-time secret. 

(5) With the picture from the victim, the hacker completed the security reset process with Crypto.com, including reset the phone number associated with the account, and reinstall and setup the App.

(6) Once all this is done, the hacker took over the victim's Crypto.com account, and converted all movable assets to BTC, and sent all BTC to an external account (bc1qm3n8fg828apfdw2s3km4p3yx774urtjpay8t97). In March 2024, the BTC in this address has been transferred out to other addresses: 

bc1qa86actz3808u8epjml27n0hdkks283f0z02396

bc1qr4qkufpv6xdtgp6d88dyyfwmxes7k2y6vhj2hg 

Crypto.com did not have any security alerting capabilities related to these suspicious activities (a security reset followed almost immediately by ten transfers out) and claim no responsibility for this loss. 

Spear phishing attacks launched by hackers linked to Russia are using documents (both real and fake) from governments and NGOs to attack organizations that typically work with them.

The hacking group is referred to as APT28, also as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, UAC-028.

The same adversary has used Israel-Hamas conflict related information to spread the HeaLace backdoor software, and spear-phishing attacks against organizations in Ukraine and Poland, with the intention to plant malware such as Masepie, Oceanmap, and Seelhook.

In addition, it has leveraged vulnerabilities in Microsoft Outlook (CVE-2023-23397) to steal NTLMv2 hash values, and use that for further attacks.

In the meantime, the IMF reported that multiple email accounts of its employees were compromised. It is not clear whether this is the result of the above mentioned attack or  related to another Russia-linked hacking group referred to as Midnight Blizzard. This groups has been using password spray attack to compromise Exchange Online (part of the Microsoft Office 365 service suite) accounts. 

The attackers used the "serch-ms:" URI protocol in Microsoft Windows to download malware stored on WebDAV servers they control. 

#APT28 #spearphishing #passwordspray #malware 

Graphical representation of Known Exploited Vulnerabilities

Courtesy of the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) Catalog (https://lnkd.in/gkx3wJQy) and of Dutch painter Piet Mondrian ...  

VC investments in cybersecurity cools off in Q2 of 2022

The cybersecurity startup market has cooled in recent months amid a broader tech slowdown:

• PitchBook stated that infosec market funding was $3.2b in Q2 2022, down 45% from Q1. Exits fell to 13 in Q2 2022 -- their lowest level since 2018.
• Separately, DataTribe reported that median valuations for cyber startups fell to $12m in Q2, down 33% from $18m in Q1.

From a broader perspective:

• The cyber market's long-term prospects remain strong -- the global cybersecurity market is projected to grow at a 13.4% CAGR through 2029.
• The industry is now inundated with vendors -- most venture-backed, many cash-flow negative. Scores of these new vendors will have layoffs/merge/fail. Some tips to manage this turmoil for enterprise customers:
• Create a 2x2 with “Criticality to our Ops” vs. “Financial Viability” as the axes -- plot your vendors.
• Focus on high-risk vendors & ask leadership (not the sales reps): “What’s your monthly cash burn?” and “How much money is in your account?”
• Start scenario-planning on what you would do if “Vendor X” cuts staff, gets bought or shutters.

Nokia's equipment is powering Putin’s surveillance apparatus

 

• Despite stopping sales in Russia, Nokia’s equipment continues to power Moscow’s digital surveillance apparatus:
• For 5+ years, Nokia provided equipment to link the System for Operative Investigative Activities (SORM) to MTS, Russia’s largest telecom provider:
• FSB -- Russia’s main intelligence service -- uses SORM to listen in on phone conversations & it is being used to crack down on domestic dissent against the invasion of Ukraine.
• Nokia acknowledged providing the equipment & stated that Russian law required it to make products enabling Russian telecoms to connect with SORM.
• Nokia executives first pled innocence. When confronted with internal docs, they suggested that if they had not served the FSB, then Huawei would have.

 

• The FBI issued a warning to crypto investors about the risks of decentralized finance (DeFi) platforms:
• Between Jan. & March 2022, cybercriminals stole $1.3 billion in cryptocurrencies -- almost 97% of which came from DeFi platforms.
• Unlike traditional banks, DeFi platforms aren’t backed by govt insurance policies, meaning investors have little recourse to recover hacked/stolen funds.

• Fraud, illicit transactions & hacks are pervasive in the crypto market -- hackers now manipulate DeFi platforms’ own governing mechanisms to steal funds:
• DeFi systems incurred $10.5 billion in criminal losses in 2021.
• 99% of hacked cryptocurrencies in Q1 2022 were stolen as a result of software exploits.

Mailchimp hacked to target cryto customers

 

Hackers gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. Then the hackers targeted users of the Trezor hardware cryptocurrency wallets.

Users of such wallets received emails that the wallet company suffered a data breach and were prompted to reset their hardware wallet PINs by downloading malicious software that allowed the hackers to steal the cryptocurrency stored in the wallet.