Weekly Threat Report - 2nd February 2018
Report's are drawn from recent open source reporting, see the latest report here:.
World’s largest cryptocurrency heist
Last week saw the world’s largest cryptocurrency heist, with Coincheck reporting that hackers had stolen 523 million NEM (XEM) cryptocurrency (approx. £376.5 million). Coincheck is Japan’s largest Bitcoin exchange and deals with various other cryptocurrencies.
Coincheck have reassured customers that they would reimburse any losses. They are reporting that at present the attack methods deployed by the hackers are unknown and that the NEM had been stored in a ‘hot wallet’. Hot wallets are connected to the internet and are therefore vulnerable to cyber criminals, whereas cold wallets are small devices that hold your sum of cryptocurrency and are not connected to the internet. Some people even keep them locked in safes.
This heist highlights the security issues surrounding storing cryptocurrency in online exchanges, which can be vulnerable to attack rather than a hardware-based solution or personal wallet.
The UK also saw its first reported case of a physical robbery-related to Bitcoin, whereby armed masked men burst into the home of a cryptocurrency trader in Moulsford, Oxfordshire. The intruders threatened violence if he didn’t transfer funds to a Bitcoin wallet. Whilst the amount transferred is unknown or even confirmed as successful, it is another instance of the security issues surrounding cryptocurrencies and their perceived lack of danger. Readers are reminded that these incidents are few and far between, but should be mindful that cryptocurrencies are not exempt, nor safe from being targeted by criminals.
New Internet of Things botnet: Hide ‘N’ Seek
A new botnet comprised of Internet of Things (IoT) devices, dubbed the Hide ‘N’ Seek (HNS) botnet, has been identified by researchers. It was reportedly first seen in early January 2018, initially disappearing but resurfacing days later having been through further development. It then spread rapidly to infect more than 30,000 IoT devices.
HNS reportedly uses custom-built peer-to-peer communication to spread to new targets and uses the same exploit as the Reaper botnet, identified in September 2017. While previous IoT botnets have had DDoS functionality, including the Mirai botnet used to carry out significant DDoS attacks, HNS is currently believed to lack this component. However, it reportedly has the capability to carry out data exfiltration, code execution and interference with a device’s operation.
The use of custom-built decentralised architecture, along with a possible focus on espionage capabilities, represent an evolution in IoT botnets. HNS has reportedly undergone constant redevelopment, indicating the level of effort the threat actors are willing to invest in it. As with other botnets, HNS does not currently achieve persistence, and rebooting a compromised device should return it to a clean state. However, it could easily be reinfected by the same route. Changing default passwords for IoT devices is an effective mitigation against some attacks, and is one of the tips included in our password guidance.
Ensuring your devices are fully patched and limiting access to these devices will also help protect against compromise. For further advice see our 10 Steps to Cyber security (Secure Configurationand Network Security).
Cyber criminals conduct ‘jackpotting’ attacks against US ATMs
Cyber criminals have conducted a series of attacks on ATMs in the United States, stealing over $1 million. Known as a ‘jackpotting’ attack, the hackers are believed to swap the ATM hard drive with one infected with malware, giving attackers full control of the ATM and its contents. At least six machines in the US are believed to have been targeted in this way this month.
The individual targeting of ATMs through physical injection of malware is a relatively common attack methodology. A number of cases have previously been reported in Malaysia, Russia, Ukraine and Mexico. There has been at least one reported case of a physical injection ATM malware incident in the UK to date.
It is unclear whether the specific methodology used against US ATMs could be used to target machines in other countries including the UK, but the attack relies on criminals gaining physical access to the machine’s hard drive. The implementation of additional controls, such as enhancement to ATM physical security and patching machine software reduces the likelihood of a successful attack.
We have previously reported on criminals conducting ‘jackpotting’ attacks against ATMs. For more information on the malware threat to UK ATMs, log in to the Cyber Security Information Sharing Partnership (CiSP) to view our report on this issue. Details on how to become a member of CiSP are here.