The advantages of cryptocurrencies for owners — lax regulation and lack of government control — are major pluses for cyberthieves too. Because the threats to crypto assets are quite varied, we recommend that you study our overview of how to protect your crypto investments, as well as our tips for owners of show more ...
hardware cryptowallets. But these posts of ours, detailed as they are, still do not disclose the full variety or scale of crypto-related scams. To give you a better grasp of just how attractive crypto finance is to scammers, weve compiled a list of the most striking examples of attacks in recent years. Our police lineup (of cybercriminals) shows you the biggest, most brazen attacks in different categories. We didnt rank them by damage, as this is hard to determine for many types of attacks, and our rating excludes pyramid schemes like BitConnect. 1. The most sophisticated Damage: US$30 000 Method: Trojanized hardware wallet This attack was investigated by our experts, hence we have a detailed post about it. An investor purchased a popular hardware wallet, which looked and worked exactly like a real one — until it didnt. It turned out to be a very crafty fake with pre-flashed private keys known to the cybercriminals and a password-weakening system. When money appeared in the wallet, the hackers simply withdrew it. And thats without the wallet ever connecting to a computer. 2. The biggest Damage: US$540 000 000 Method: server hack For a long time, the largest hack in cryptocurrency history was the theft from Mt. Gox exchange of US$460 million, which caused the exchange to collapse in 2014. But in 2022 this dubious honor passed to Sky Mavis, developer of the popular play-to-earn game Axie Infinity. The attackers compromised the Ronin Bridge system, which handles the interaction between in-game tokens and the Ethereum network, which led to the theft of ether and USDC worth, according to various estimates, US$540–650 million. Without delving into the details of the blockchain bridge hack, the attackers compromised five of the nine validator nodes for verifying Ronin transactions and used them to sign their transfers. Apparently, the network was infiltrated through a combination of malware and legitimate but outdated access credentials that had not been revoked in time. The hackers also hoped to earn even more from the collapse in the market capitalization of the target companies, but the hack was noticed just a week later, and their attempt at short selling failed. 3. The most persistent Damage: unknown Method: fake Chrome extension The attacks, carried out by the BlueNoroff group and detected by us in 2022, were aimed primarily at FinTech companies working with cryptocurrency. In this series of attacks, the hackers penetrated the internal networks of the target companies using phishing emails seemingly from venture capital funds. When the victim opened the malicious email attachment, a Trojan installed itself on the computer allowing the attackers to steal information and install additional malware. If the companys emails were of interest to them, the hackers remained in its network for months. Meanwhile, the crypto theft itself was carried out using a modified Chrome extension called Metamask. By installing their version of Metamask instead of the official one, the cybercriminals were able to observe and modify the victims legitimate cryptocurrency transactions; even the use of a hardware cryptowallet in this case didnt provide sufficient protection. 4. The most obscure Damage: US$35 000 000 Method: unknown On June 2, 2023, attackers targeted the decentralized Atomic Wallet, debiting tokens from the victim. This is the most recent example at the time of posting. The developers confirmed the hack, but have yet to figure out how it was done. Atomic Wallet prides itself on the fact that neither passwords nor private keys are stored on its servers, so the attack must be linked to what takes place on users computers. Cryptocurrency tracking experts say the laundering methods used resemble the modus operandi of the Lazarus group. If it is Lazarus, its most likely an attack either through a fake Trojanized version of Atomic Wallet (similar to the attack on DeFi), or on the developers themselves with a Trojan in the official application. 5. The most cinematic Damage: US$4 000 000 Method: face-to-face meeting To steal cryptocurrencies, some cybercriminals set up Catch Me If You Can-style scams. The targets — companies looking for investors — are approached by investment funds to discuss a potentially large investment in the business. After a few phone calls and emails, face-to-face meetings are scheduled at a luxury hotel with the victims — startup CEOs. There, all legal and financial matters are discussed at length, after which, under a convenient pretext, the conversation turns to investments and cryptocurrency fees. As a result, the scammers sneak a peek on the victims seed phrase or briefly get hold of their cryptowallet, emptying it of all funds. In one case, the victims were hustled for US$4 million; in another, described in detail, for US$206 000. 6. The most elegant Damage: unknown Method: fake letters and wallets This one sounds like a plot for a detective novel: cybercriminals sent paper letters to buyers of Ledger hardware wallets. To get the mailing list, they either hacked into an unnamed third party (likely a Ledger contractor) or capitalized on an earlier user-data leak. The letter informed the recipient that, due to security issues, their Ledger Nano X hardware wallet had to be replaced — and a free replacement wallet under warranty was handily attached to the letter. In fact, the enclosed box contained a malware-infected flash drive disguised as a Nano X. On first startup, the program asked the victim to perform a key import and enter their secret seed phrase to restore access to the wallet — with obvious consequences. Many recipients, however, didnt fall for the ruse: despite the convincing packaging, the letter itself contained a number of spelling mistakes. Vigilance pays dividends! 7. The most inconspicuous Damage: unknown Method: malware Among the most inconspicuous are address-substitution attacks, usually carried out with the help of clipboard-injector malware. After infecting the victims computer, the malware silently monitors the clipboard for cryptowallet addresses: when one arrives, malware replaces it with the address of the attackers wallet. So, by simply copying and pasting addresses during transfers, cybercriminals can easily direct funds their way. 8. The most hurtful Damage: US$15 000 Method: love letters Romantic scams remain one of the most common ways to deceive private crypto investors. Lets take a look at a specific example. Kevin Kok had years of crypto experience, yet even he was hoodwinked by a blossoming romance. Having met a woman on a dating site, he chatted with her for several months, during which time the topic of investments never arose. Then, she suddenly shared information from friends about a handy new app for crypto investments. She was having trouble figuring it out and asked for help so she could deposit her own (!) money there. Kevin, of course, offered to help. Convinced that the app was working fine, he saw his new flames assets rise in value. So he decided to invest his own money and smiled at the high rate of return. Kevin became suspicious only when the woman suddenly disappeared from all messenger apps and stopped replying to his messages. And it was then he discovered it wasnt possible to withdraw funds from the investment system. How to stay safe? Weve already given detailed recommendations for crypto investors, so here well repeat just two: treat all crypto-related offers, emails, letters and innocent questions with maximum suspicion, and always use security software tailored for crypto investments on all relevant devices. And we certainly recommend a Kaspersky Premium subscription for one or more devices, the price of which is a drop in the ocean compared to the potential damage from just one successful scam. Premium includes special tools to protect your crypto investments: Protection against cryptocurrency fraud and unauthorized mining Additional protection for banking apps and financial transactions Anti-phishing Special anti-keylogger protection for password input windows Detection of remote access to the computer Password manager and secure storage for sensitive data Real-time antivirus with application behavior control Warnings about potentially dangerous applications Automatic search for outdated versions of applications and updates from official sources
It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.
While there's plenty of upside to rolling out deception technologies, it's not clear if cybersecurity leaders — or their organizations — are ready for them.
Exploiting a flaw in how the app handles communication with external tenants gives threat actors an easy way to send malicious files from a trusted source to an organization's employees, but no patch is imminent.
Unknown senders have been shipping smartwatches to service members, leading to questions regarding what kind of ulterior motive is at play, malware or otherwise.
Although the authenticity of these claims remains uncertain, the fact that the hacker is offering to use Escrow—a trusted third-party payment service—adds a level of credibility to the offer.
In addition to backdoor capabilities and the ability to propagate through USB using the HopperTick launcher, the payload includes additional features, such as a bypass for SmadAV, an anti-virus solution popular in Southeast Asia.
Security experts came across a new campaign—from late 2022 to early 2023—by the Chinese state-sponsored threat group APT15, which used a novel backdoor called Graphican that possesses several capabilities. Symantec has published the IOCs for a better understanding of the threat to protect against it.
The organization said Wednesday that it was informed on June 6 by a third-party vendor – PBI Research Services/Berwyn Group – that data was accessed by hackers exploiting the MOVEit file transfer tool.
According to a survey by Panaseer, automation is considered more effective than vendor consolidation in easing industry concerns, and 96% of organizations automate at least one aspect of their cybersecurity.
The North Korean APT37 (aka ScarCruft and RedEyes) group was found using a new info-stealer with wiretapping features, named FadeStealer, along with a backdoor written in GoLang that abuses the Ably platform. Apart from the ability to listen to private conversations of victims, the malware can steal a wide variety of information from Windows systems.
Open source is key to the success of cloud-native security as it facilitates collaboration amongst developers, architects, and users, brings strength in numbers, and allows for diverse innovation.
Dole said the hackers accessed the names, addresses, driver’s license numbers, passport numbers, dates of birth, phone numbers, and other employment information, according to a filing with the Maine Attorney General.
According to research by Insikt Group and CERT-UA, Russian hackers exploited vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in Roundcube Webmail software to gain unauthorized access to unpatched servers.
Suspected Chinese APT groups exploited a 17-year-old Microsoft Office vulnerability in May to launch malware attacks against foreign government officials who attended a G7 summit in Hiroshima, Japan.
The project is expected to feature a reference design and an implementation guide addressing four main cybersecurity challenges across the water and wastewater sector, namely asset management, data integrity, remote access, and network segmentation.
BlackLotus has been circulating on hacking forums since October 2022, marketed as malware capable of evading detection, withstanding removal efforts, and neutralizing multiple Windows security features such as Defender, HVCI, and BitLocker.
A proposed federal class action lawsuit alleges that patient debt collection software firm Intellihartx was negligent in its handling of third-party risk, contributing to a breach affecting nearly 490,000 individuals.
"The attack chain ends with the victim machine infected with multiple unique remote access trojan malware instances, such as Warzone RAT and Quasar RAT," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.
The top French privacy regulator has imposed a fine of 40 million euros against a Parisian advertising technology company for its use of website tracking cookies and failure to process users' personal data in compliance with privacy laws.
The notorious extortion crew, aka ALPHV, added the Beverly Hills Plastic Surgery to its list of compromised organizations, and bragged about swiping people's personal information and healthcare records.
The Russian APT28 group has launched a spear-phishing campaign that has affected a regional prosecutor's office, an undisclosed executive authority, a military aviation company, and other government entities in Ukraine. It is suggested that users update the vulnerable Roundcube webmail servers to its latest version.
The breach was initially discovered by security researcher Jeremiah Fowler. Upon further investigation, it was revealed that the primary insurer associated with all the policies listed in the exposed database was USA Underwriters.
"A deserialization of untrusted data vulnerability [CWE-502] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service," Fortinet stated.
A third-party vendor lost the personal data of at least 2.5 million Genworth Financial policyholders, including Social Security numbers, to the Russian Cl0p ransomware gang, according to the Fortune 500 insurer.
By deploying students to community organizations to improve digital defenses, university cybersecurity clinics aim to give students cybersecurity experience, improve local defensive capacity and steer students toward work in cybersecurity.
Fallout for Progress Software continues over a massive data breach that appears to have affected hundreds of private and public sector organizations that use its MOVEit file transfer software.
The botnet has been observed targeting IoT devices, routers, DVRs, access control systems, and Solar power generation monitoring systems from brands such as D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek.
A new cyber incentive framework from the Federal Energy Regulatory Commission could help utilities adapt to new threats at a faster pace, by providing flexibility for them to invest in pre-qualified cybersecurity measures.
Out of the 156 threats identified in drone control systems, the top 50 fall into four categories — namely reporting falsified data, denying access to real-time data, impersonation of UAS and its operator, and tempering with telemetry data.
The attack works with Microsoft Teams running the default configuration, which permits communication with Microsoft Teams accounts outside the company, typically referred to as "external tenants."
Debian Linux Security Advisory 5438-1 - A flaw was found in Asterisk, an Open Source Private Branch Exchange. A buffer overflow vulnerability affects users that use PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record parse_query(), while show more ...
the issue in CVE-2022-24793 is in parse_rr(). A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver implementation instead.
Red Hat Security Advisory 2023-3614-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.4.
Red Hat Security Advisory 2023-3612-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.4. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5435-2 - Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in information disclosure or denial of service.
This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.
Ubuntu Security Notice 6161-2 - USN-6161-1 fixed vulnerabilities in .NET. The update introduced a regression with regards to how the runtime imported X.509 certificates. This update fixes the problem. It was discovered that .NET did not properly enforce certain restrictions when deserializing a DataSet or DataTable from XML. An attacker could possibly use this issue to elevate their privileges.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat show more ...
OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Ubuntu Security Notice 6188-1 - Matt Caswell discovered that OpenSSL incorrectly handled certain ASN.1 object identifiers. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.
Ubuntu Security Notice 6184-1 - It was discovered that CUPS incorrectly handled certain memory operations. An attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service, or possibly obtain sensitive information.
Ubuntu Security Notice 6187-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the TUN/TAP driver in the Linux kernel did not properly initialize socket data. A local attacker could use this to cause a denial of service.
Red Hat Security Advisory 2023-3777-01 - Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-3776-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include a bypass vulnerability.
Ubuntu Security Notice 6186-1 - Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in the netfilter subsystem of the Linux kernel when processing batch requests, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary show more ...
code. Gwangun Jung discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Red Hat Security Advisory 2023-3780-01 - Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL. Issues addressed include a bypass vulnerability.
Ubuntu Security Notice 6185-1 - It was discovered that the TUN/TAP driver in the Linux kernel did not properly initialize socket data. A local attacker could use this to cause a denial of service. It was discovered that the Real-Time Scheduling Class implementation in the Linux kernel contained a type confusion vulnerability in some situations. A local attacker could use this to cause a denial of service.
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced
Internet-facing Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign designed to illicitly mine cryptocurrency. "The threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations," Microsoft threat intelligence researcher Rotem Sde-Or said.
The case for browser fingerprinting: personalizing user experience, improving fraud detection, and optimizing login security Have you ever heard of browser fingerprinting? You should! It's an online user identification technique that collects information about a visitor's web browser and its configuration preferences to associate individual browsing sessions with a single website visitor. With
A new strain of JavaScript dropper has been observed delivering next-stage payloads like Bumblebee and IcedID. Cybersecurity firm Deep Instinct is tracking the malware as PindOS, which contains the name in its "User-Agent" string. Both Bumblebee and IcedID serve as loaders, acting as a vector for other malware on compromised hosts, including ransomware. A recent report from Proofpoint
A threat actor known as Muddled Libra is targeting the business process outsourcing (BPO) industry with persistent attacks that leverage advanced social engineering ploys to gain initial access. "The attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offered a prebuilt hosting framework and bundled templates,"
The NSA has publsihed a guide about how to mitigate against attacks involving the BlackLotus bootkit malware, amid fears that system administrators may not be adequately protecting against the threat. Read more in my article on the Tripwire State of Security blog.