Attackers looking to hijack systems for illegally mining digital currencies have begun eyeing business systems, security vendors say. In an ominous trend for businesses, hijacking computers for cryptocurrency mining appears to have become the go-to strategy for cybercriminals looking for a safe and reliable way to generate illegal revenues.
“We’ve seen an uptick in unauthorized crypto-mining, or cryptojacking, targeting businesses,”.
“While cryptocurrency mining has typically been viewed as a nuisance, we’ve recently seen several cases where mining has impacted business operations,”.
How does Bitcoin mining works?
Crypto mining is a fairly complex process where a computer’s processing resources are used for blockchain transaction verification. Mining is a very CPU-intensive, resource-hogging activity and some digital currencies like Bitcoin require special-purpose hardware to do it. Several other digital currencies like Monero, Zcash, and Ethereum, however, can also be mined by pooling the resources of multiple computers.
In return for installing a mining tool and allowing their computer resources to be pooled for mining, the miners or owners of the computers, receive digital coins in return. Mining itself is a legal activity, and many people around the world allow their systems to be used for the purpose in hopes of making some money on the side.
Threat to the cryptocurrency market
Criminals Using Web Injects to Steal Cryptocurrency: “Man-in-the-browser attacks targeting Blockchain.info and Coinbase websites, SecurityScorecard says.”
A Web inject is basically code for injecting malicious content into a Web page before the page is rendered on a user’s browser. This work by intercepting and modifying traffic between a Web server and user browser in such a manner that the victim typically does not notice anything amiss.
How does it work?
Web injects can be used to add or delete content on the Web pages that a victim sees. For instance, a Web inject can be used to add a field in the login screen for capturing the PIN a user might use to access his or her bank account, or it can be used to delete warnings that a user might normally see when viewing a particular Web page. Web injects typically have been used to steal credentials for accessing bank accounts, but recently have begun to play a role in cryptocurrency heists as well.
- Exploits are easily available for blockchain attacks on the internet.
Botmasters can readily buy the Web injects for Coinbase and Blockchain.info and distribute them to infected computers in a botnet, says Doina Cosovan, malware researcher at SecurityScorecard. The malware installed on those infected computers receive the Web injects and inject them in the Coinbase and Blockchain.info websites if a user happens to visit either site.“Once this change is made, the injected content can start making transactions without the need to authorize them with [two-factor authentication],” Cosovan says. “Even more, the user’s access to the settings is blocked, so that he can’t enable the two-factor authentication for transactions,”
Illegal crypto-mining is just one form of cryptocurrency fraud. Cybercriminals have also begun stealing tens of millions of dollars directly from electronic wallets used to store digital currency, as well as targeting cryptocurrency exchanges and trading platforms. Michael Marriott, research analyst at Digital Shadows, points to one recent incident where criminals targeted the Initial Coin Offering for blockchain application company Experty and used phishing emails to trick potential coin buyers to send funds to an attacker-owned wallet.
What are sources for these types of attacks/exploits?
Driving the trend is the easy availability of do-it-yourself kits that almost anyone can use for illegal mining. Criminals can rent mining botnets for as little as $30 to $130 per month, and software for distributing miners for as little as $29,
Attackers have also begun searching on sites such as GitHub for keys to cloud services such as AWS in order to use cloud-based machines to mine cryptocurrencies, he notes. “If attackers have access to an organization’s cloud services, then as well as performing mining activity, they could realistically do other malicious acts, such as stealing data or installing malware payloads,” Marriott says.
CrowdStrike has observed crypto-mining attacks within the Education, Entertainment, Financial, Healthcare, Insurance, and Technology sectors, says York. Some of the tools used in the attacks pose a particular threat to enterprises. One example, he says, is WannaMine, a crypto-mining worm that uses sophisticated propagation and persistence methods to spread and remain on systems, he says.
“WannaMine propagates more effectively within a corporate network than it would on consumer network,”.
It uses the Mimikatz credential-harvester to acquire credentials and move laterally within organizations using the legitimate credentials. “If unsuccessful, WannaMine attempts to exploit the remote system with the EternalBlue exploit used by WannaCry in early 2017. This approach is generally more effective in corporate networks,” he says.
The Nightmare for cryto miners
Three cryptocurrencies—Bitcoin Gold, Verge, and Monacoin—were hit with a rarely-seen cyber attack. The hack, called a 51 percent attack, allowed the hackers to steal about $20 million, mostly from the Bitcoin Gold ledger.
If you’ve never heard of a 51 percent attack, that’s because for the most part, crypto experts weren’t particularly worried about them before now.These attacks weren’t very common and had only affected very small coins because there had been only a few cryptocurrencies out there. And the ones that did exist were so popular that they would have been difficult to commandeer.
How does the attack work?
A 51 percent attack works when someone takes over the majority of a blockchain network’s computational power. This control allows the person or group behind the attack to start their own, private ledger for the particular cryptocurrency. With this majority share of the network, the person in control can buy something with their cryptocurrency (or cash out) on the public, official ledger, and then send out their private ledger, which other computers on the network adopt as the real thing. Now it’s like they never spent their cryptocurrency at all, but still benefitted from the transaction — essentially double-spending whatever coin they’ve taken over. While they control the network, a person conducting a 51 percent attack can also make sure they get all the newly mined coin that appears on the network.
So far, it’s not clear who committed the cybercrime. And there’s no indication that authorities have yet started looking into it.
There’s been quite a few large, high profile cryptocurrency hacks over the past few years. Hundreds of millions of dollars have been stolen. Although blockchain technology is fundamentally more secure than centralized database systems, the ecosystem is still incredibly young and poor programming practices create many security vulnerabilities, especially with systems built around blockchains.
Indian Bitcoin Exchange Coinsecure Claims $3.5 Million Lost in Insider Hack
When did the hack happened?
On April 8 2018, the Indian exchange lost 438.318 bitcoins, approximately Rs 20 crore from a digital wallet that was holding users’ funds. Coinsecure promised to use its own funds to reimburse Rs 20 crore to customers who lost their bitcoins.
How it happened?
The alleged hack seems to have occured when the company CSO Saxena was extracting bitcoins to distribute it to its customers.The funds lost were kept in a ‘cold wallet’ where funds are stored offline, as opposed to a ‘hot wallet’ which is a part of the exchange connected to the internet.
“There was no need to be online while extracting the bitcoin. The private keys which was never exposed to the internet for the past 4 years was exposed,” Kalra said. “Funds were lost lost during the extraction of private keys.”
“The hack that happened is also too good to be true. Almost like offering the password to your bank account in a platter to a hacker. The time he exported the private key, it was after 5 minutes the hack started,” he added.
It was on April 9, that Saxena informed others at the exchange that all the bitcoins that were stored offline had vanished. It is still unclear why the private key — password that is kept by the company and stored offline — were leaked online, leading to the hack.
Is the money being traced?
Coinsecure with over two lakh users across the country, has currently stopped all deposits and withdrawals. The company says it has the digital address of where the assets were sent after the hack. It has shared the wallet address to which the 438 odd bitcoins were transferred to on their website. The stolen amount of 438.318 bitcoins was transferred to the hacker’s wallet over a span of two days in small tranches.
Now, the hacker seems to be sending the stolen bitcoins to multiple addresses. Now, the amount left from the stolen wallet is 139.420 bitcoins.
This essentially means only Rs 7.39crore still remains of the Rs 20 crore that was siphoned off. Interestingly, the wallet address to which the initial amount of 438 bitcoins was transferred to was created on the day of the hack and not an old account that had already been around for sometime.
August 2017 – Enigma ICO hack with $500,000 stolen
The Enigma ICO was hacked in a very different way from the CoinDash ICO. Enigma was started by a group of MIT graduates and the project was able to create a strong community of over 9,000 users who joined the project’s mailing list and Slack group.
How did the hack happened?
The hacker was able to break into Enigma’s website, Slack group, and mailing list and sent fraudulent messages to the project’s community asking for money. This allowed the hacker to gather almost 1,500 Ether (about $500,000). This is despite a previous warning by Enigma that it would not collect money in this way until its ICO in September.
When was the hack discovered?
It was discovered that Enigma’s CEO Guy Zyskind’s email credentials had been dumped on the internet from the hacking of different services in the past. Zyskind failed to change the password to his email and this, coupled with the lack of two-factor authentication setup, allowed the hacker to access Enigma’s website, Slack group, and mailing list.
The hack was particularly embarassing not only because it could have easily been avoided if two-factor authentication was in place, but also because another Enigma cofounder had recently shared his “simple solution” for preventing ICO hacks on Business Insider.
July 2017 – Parity multisig wallet hack with $32 million stolen
An attacker exploited a vulnerability found in Parity Multisig Wallet version 1.5+. S/he used this vulnerability to drain Ether from three high-profile multisignature contracts used to store funds from previous ICOs (Edgeless Casino, Swarm City, and æternity blockchain). In total, 153,037 Ether was stolen.
When was the hack revealed?
On July 19th, Parity issued a security warning on its website detailing the discovery of the vulnerability: “A vulnerability in Parity Wallet’s variant of the standard multi-sig contract has been found – Immediately move assets contained in the multi-sig wallet to a secure address”.
Fortunately, on release of this statement, a group of white hat hackers took it upon themselves to drain the funds of other multi-sig wallets belonging to other ICOs before the malicious hackers were able to get to them as well.
August 2016 – Bitfinex hack with $66 million stolen
The Bitfinex hack was the second-biggest breach of a Bitcoin exchange platform at the time (first place goes to Mt. Gox). A total of 120,000 Bitcoin were stolen. This was worth about $72 million at the time. Bitfinex first announced the security breach on August 2, 2016.
Who was the culprit for the attack?
The attackers exploited a vulnerability with Bitfinex’s multisignature wallets used to store their customer’s funds. A multisignature wallet has keys divided among a number of owners to manager risk. In order to send a transaction, all parties need to sign off on it. In the case of Bitfinex, it had a system set up with another company, BitGo, whereby Bitfinex would store two keys and BitGo would store one key.
This allowed Bitfinex to reduce the use of cold storage wallets and had many customer’s funds stored in hot wallets. When Bitfinex’s servers were hacked, the attackers managed to not only get Bitfinex to sign off on illegal Bitcoin withdrawals, the BitGo security layer somehow failed as well and BitGo co-signed the illegal withdrawals.
What else happened?
The details are murky on how the attackers managed to get BitGo to co-sign the transactions. BitGo has publicly confirmed that their own servers were not compromised. The rumour is that the system Bitfinex setup was broken such that BitGo would do whatever Bitfinex said to do with a user’s funds. As such, Bitfinex’s multisignature wallet system really only had a single point of failure – Bitfinex’s servers – and it’s really no different than simply using hot wallets.
March 2014 – Mt. Gox exchange hack with $473 million stolen
The Mt. Gox hack is the largest cryptocurrency disaster to ever occur to this date. In total, $473 million worth of Bitcoin was stolen from the exchange. This theft occured over several years
Prior to the hack, Mt. Gox was one of the largest cryptocurrency exchanges and at one point, was handling over 70% of all Bitcoin transactions worldwide. However, due to an abysmal CEO, a dysfunctional engineering organization, and poor code, unknown hackers were able siphon Bitcoin from the exchange without detection for years.
Much of the blame can be laid on Mark Karpeles, the CEO of the company. Karpeles was more of a childish, idealistic programmer than a CEO and seemingly thought of Mt. Gox as an interesting side project. For example, an insider claimed that Mt. Gox didn’t use any version control software and the only person that could approve changes to the source code was Mark Karpeles himself.
Who was the culprit for the attack?
Version control software (VCS) provides significant programming benefits. First, it gives the programmer a concise and complete history of change in the codebase. Using VCS, a programmer can see who made what changes at what time and s/he could also temporarily or permanently rollback changes.
Karpeles should definitely not be the sole person approving code. A CEO should be focused on high level challenges such as developing business strategy and managing the overall operations and resources of a company. Karpeles’s insistence on being the sole authority to approve code just shows how immature and flawed his management style was.
This, of course, resulted in a highly unsecure codebase. Competent software engineers would have left such a dysfunctional engineering organization in a heartbeat and those who did stay would find their security patches often forgotten by Karpeles.
On August 15th 2010, Jeff Garzik, a Bitcoin Core developer, noticed that someone was able to generate a 184 billion Bitcoin transaction in a single block. Bitcoin’s maximum supply is supposed to be capped at 21 million.
Who was the culprit for the attack?
The attacker was able to abuse a bug in the code used to check transactions before including them in a block. The code had an integer overflow bug and couldn’t detect when a transaction contained outputs that summed over 2^64 satoshis (i.e. 184 billion BTC). Instead of realizing that such a transaction contained an insane amount of BTC, the Bitcoin network actually thought that there was only a small amount. The attacker exploited this bug and issued a transaction with outputs summing to just over 2^64 satoshis. This transaction was accepted by the blockchain and it was lucky that it was detected by Garzik 1.5 hours after the transaction occured.
How was the Problem resolved?
2.5 hours later, Gavin Andresen patched the bug. It took another hour for Satoshi to accept the patch. A hard fork was then deployed and the new chain rolled back the 184 billion transaction and every transaction after it.
Although no funds were lost during this attack, it was still a significant event for Bitcoin. The quick response by the devs to fix the bug and revert the attack instilled new confidence in the budding currency and demonstrated Bitcoin’s resiliency to malicious attacks.
You can never be too secure with your cryptocurrenices. “You can’t go to the bank and say, ‘Oops, can you fix this?'”
Keep those 24 words, which provide instant access to your cryptocurrencies, in a safe place. we recommend you enter those words into a cryptosteel, a device that can withstand temperatures up to 1,500 degrees Celsius. Then put that in a fireproof safe. but if you are serious about securing your crypto currency exchange or wallets from getting theft like the case studies you read above you need to focus solely on securing your assets and covering all loopholes that can help an attacker to transfer your funds and run away don’t be afraid if you don’t know what to do? Or How to do it? we are here to help you, Khanna Security Solutions can play a pivotal role in securing your assets (Website, Network, Servers) and prevent such attacks happening with you.