Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Crypto Attack. Show all posts
North Korea Hackers
Crypto Attack Cryptocurrency exchange Cyber Attacks DMM Hacker attack North Korea North Korea Hackers

North Korean Hackers Suspected in $70M Phemex Crypto Exchange Exploit

 

A significant cyberattack on the Singapore-based cryptocurrency exchange Phemex has resulted in the loss of over $70 million in digital assets. Blockchain security experts believe the incident may be linked to North Korean hackers. The breach was detected on Thursday, prompting Phemex to suspend withdrawals after receiving alerts from security firms about unusual activity. 

Initially, approximately $30 million was reported stolen, but the attack persisted, leading to further asset depletion. The company’s CEO, Federico Variola, confirmed that the exchange’s cold wallets remained intact and unaffected. According to cybersecurity analysts, the tactics used in this attack resemble previous high-profile exploits targeting crypto exchanges.

The perpetrators swiftly transferred various tokens across multiple blockchain networks, beginning with high-value assets such as Bitcoin (BTC), Ethereum (ETH), and Solana (SOL), along with stablecoins like USDC and USDT. Since stablecoins can be frozen, the attackers quickly converted them into Ethereum before moving on to smaller, less liquid tokens. 

Researchers tracking the breach noted that hundreds of different cryptocurrencies were stolen, with attackers draining even minor altcoins. The process was reportedly carried out manually rather than through automated scripts, with assets transferred to fresh addresses before being laundered through additional layers of transactions. Experts believe the scale and coordination suggest the involvement of an experienced hacking group.  

A pseudonymous investigator known as SomaXBT.eth pointed to a North Korean-affiliated group as the likely culprit, noting similarities between this incident and previous attacks attributed to state-backed hackers. Another security analyst compared the breach to the attack on Japan’s DMM platform, which resulted in the theft of $308 million and was linked to the North Korean hacking group TraderTraitor. Data from blockchain explorers shows that the attackers utilized at least 275 transactions across Ethereum-based chains, using multiple addresses to siphon funds from networks such as Arbitrum, Base, Polygon, Optimism, and zkSync. 

Additionally, transactions were tracked across Avalanche, Binance Smart Chain, Polkadot, Solana, and Tron. A primary wallet connected to the breach handled at least $44 million in stolen funds, while notable amounts included $16 million in SOL, $12 million in XRP, and $5 million in BTC. Despite the losses, Phemex still holds roughly $1.8 billion in assets, the majority of which are in its native PT token, followed by significant holdings in Bitcoin and USDT. 

The exchange has announced that it is developing a compensation plan for affected users. As of the latest reports, activity from the attacker’s addresses appears to have ceased, with the final recorded transactions occurring around 10:00 AM ET.
Read more »
Technology
Crypto Attack Digital Money online money Palo Alto Technology

RedTail Cryptominer Exploits Critical Zero-Day in PAN-OS

A new wave of cyberattacks has been reported, leveraging a critical zero-day vulnerability in Palo Alto Networks’ firewall software, PAN-OS. The flaw, identified as CVE-2024-3400 and assigned a maximum CVSS score of 10.0, enables unauthenticated attackers to execute arbitrary code with root privileges, significantly compromising the security of affected systems. 

Researchers from Akamai have observed that the RedTail cryptomining malware is exploiting this vulnerability. The malware is notably sophisticated, exhibiting a deep understanding of cryptomining operations. Unlike typical cryptomining software that uses public mining pools, RedTail’s operators have established private mining pools or proxies. This approach allows for greater control over mining outcomes despite the higher operational and financial costs involved. 

Updated Tools and Techniques: The latest version of RedTail, active since late April, includes several updated tools: 

Encrypted Mining Configuration: This adds a layer of security and obfuscation to the malware's operations. 

Self-Process Debugging: A tactic to evade analysis and hinder detection. Cron Job Integration: Ensures persistence by automatically restarting the malware after the system reboots. 

Usage of RandomX Algorithm: Boosts mining efficiency. Alteration of System Configuration: Employs hugepages to optimize memory usage and performance. 

Akamai's security researchers Ryan Barnett, Stiv Kupchik, and Maxim Zavodchik reported, "There are many glossy cryptominers out there, but seeing one with this level of polish is uncommon. The investments required to run a private cryptomining operation are significant, including staffing, infrastructure, and obfuscation. This sophistication may be indicative of a nation-state–sponsored attack group. For any business, there is ongoing testing and evolution to ensure that the product (in this case, malware) is successful, which is unlikely to be done without some type of substantial financial backing. The malware was likely quite profitable if it garnered this degree of attention from a sophisticated group.” 

It Is Not Done Yet 

The threat actors behind RedTail are not solely dependent on the PAN-OS vulnerability. They also exploit various other vulnerabilities across different platforms and devices, including SSL-VPNs, IoT devices, web applications, and security appliances like Ivanti Connect Secure. 

What You Can Do?

In response to this threat, Akamai advises using the Akamai App & API Protector for enhanced security measures. Organizations should identify and patch all vulnerable Palo Alto devices to mitigate the risk posed by the CVE-2024-3400 flaw. Hardening devices against various types of cyberattacks, including web platform attacks, command injections, and local file inclusion, is recommended.
Read more »
Tech
Crypto Attack cryptocurrency engineers Cyber Attacks Cybersecurity KandyKorn Lazarus hacking group MacOS Malware Tech

Cryptocurrency Engineers Targeted by New macOS Malware 'KandyKorn'

 

A newly identified macOS malware called 'KandyKorn' has been discovered in a cyber campaign linked to the North Korean hacking group Lazarus. The targets of this attack are blockchain engineers associated with a cryptocurrency exchange platform.

The attackers are using Discord channels to pose as members of the cryptocurrency community and distribute Python-based modules. These modules initiate a complex KandyKorn infection process.

Elastic Security, the organization that uncovered the attack, has linked it to Lazarus based on similarities with their previous campaigns, including techniques used, network infrastructure, code-signing certificates, and custom detection methods for Lazarus activity. 

The attack starts with social engineering on Discord, where victims are tricked into downloading a malicious ZIP archive named 'Cross-platform Bridges.zip.' This archive contains a Python script ('Main.py') that imports 13 modules, triggering the first payload, 'Watcher.py.' 

Watcher.py downloads and executes another Python script called 'testSpeed.py' and a file named 'FinderTools' from a Google Drive URL. FinderTools then fetches and runs an obfuscated binary named 'SugarLoader,' which appears as both .sld and .log Mach-O executables.

SugarLoader establishes a connection with a command and control server to load the final payload, KandyKorn, into memory.

In the final stage, a loader known as HLoader is used. It impersonates Discord and employs macOS binary code-signing techniques seen in previous Lazarus campaigns. HLoader ensures persistence for SugarLoader by manipulating the real Discord app on the compromised system.

KandyKorn serves as the advanced final-stage payload, allowing Lazarus to access and steal data from the infected computer. It operates discreetly in the background, awaiting commands from the command and control server, and takes steps to minimize its trace on the system.

KandyKorn supports a range of commands, including terminating processes, gathering system information, listing directory contents, uploading and exfiltrating files, securely deleting files, and executing system commands, among others.

The Lazarus group primarily targets the cryptocurrency sector for financial gain, rather than engaging in espionage. The presence of KandyKorn highlights that macOS systems are also vulnerable to Lazarus' attacks, showcasing the group's ability to create sophisticated and inconspicuous malware tailored for Apple computers.
Read more »
Subscribe to: Posts (Atom)