Category Archives: News

Japanese cryptocoin exchange robbed of $100,000,000

Another week, another cryptocurrency catastrophe.

Last week’s story was about Chinese cryptocoin smart contract company Poly Networks, which was robbed of about $600 million’s worth of various cryptocurrencies.

That heist has turned into an ongoing saga in which, mirabile dictu, the hacker ultimately seems to have agreed to return as much of the stolen cryptocurrency as he can.

In a bizarre stream of messages transmitted as “additional data” in zero-value transactions on the Ethereum blockchain, the thief claimed, ALL IN CAPS, to have acted out of altruism.

The hacker, now dubbed Mr. White Hat in an act of obeisance by Poly Networks, suggested that he’d taken the money for safe keeping before disclosing the bug, so that no one else could exploit it in the meantime.

(The implication was that the coders who would be working to fix the bug – who would inevitably need to know how the bug could be exploited in order to repair it properly – might themselves be rogues, and therefore needed protecting from their own baser instincts by a nobler form of cybercriminality.)

The money hasn’t all been recovered yet – that is expected to take a few days more – but Poly Networks seems confident [2021-08-20T15:00Z] that it will get back most of it in the end.

The company has also said that it will dig into its own pockets “to compensate for any slippage loss and fees that are incurred.”

Amusingly, if not amazingly, Poly Networks has “rewarded” Mr. Hat with 160 Ethereum coins (about $525,000 at today’s price), and offered him a role as Chief Security Advisor.

In one of the company’s own blockchain messages back to Hat, Poly Networks went so far as to invite him to be a co-approver of any future upgrades to the system.

That might seem like an alarming amount of control to offer to someone who once ran off with all your funds and deliberately shut down your whole network for two weeks, even if they decided to give back most of the money in the end:

We decided to use [a] multi-signature of relay chain validators to authorize upgrades. We also hope to invite you to participate in the future development of the Poly Network. If you want, your address […] can be one of the validators.

Hat, for his part, has been on the receiving end of numerous blockchain spam messages of his own, with a mixture of admirers, detractors and opportunists letting him know how they feel and what they expect from him.

YOU SAID YOU WILL GIVE ME A PERSONAL GIFT. I WOULD LIKE 32 ETH, insisted one commenter, who claimed to know the name of the company where Hat used to work and threatened to reveal the details.

Another noted, contrarily eschewing Hat’s ALL CAPS style and letter spacing, that Nowitseems­thatmoneyis­stillveryimportant.­Stillsupportyou!

Truth, as the truism goes, can sometimes be stranger than fiction.

Roguery redux

This week, sadly, it was the turn of cryptocoin trading platform Liquid to get hit by hackers.

The company bravely still has a cryptocurrency exchange rate ticker scrolling across the top of its website, but underneath that is a worrying notice saying simply:

All crypto deposits are currently suspended. Please do not transfer crypto to your Liquid wallet address until further notice.

The More information link on the main page leads to an even more chilling note that apparently confirms the scale of the problem:

Important Notice: We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet.

We are currently investigating and will provide regular updates. In the meantime deposits and withdrawals will be suspended.

Hot versus cold

A “hot wallet” (the word warm above rather understates the immediacy and risk involved, but may just be a detail of translation rather than a misguided attempt at euphemism), as the name suggests, is one that is primed for access at any time.

Loosely speaking, a hot wallet is a file of cryptocurrency assets that is directly available for online trading, with any necessary cryptographic passwords and private keys shared with the online trading platform you’re using.

In contrast, a cold wallet is one that’s stored offline, and where you keep the cryptographic keys to yourself.

In a cold wallet setup, the files that constitute your cryptocoin stash are inaccessible to malware or hackers who manage to wriggle into your computer, thanks to being kept offline, and unusable in the event of an intruder in your house finding the storage device on which you stashed them, thanks to being encrypted.

Note. If you give someone hot wallet access, and they then move your funds into a cold wallet of their own, as described above, that’s safer than having your cryptocoins available for immediate online trading, but it’s nevertheless not your cold wallet, so the person who created that cold wallet still has control over your funds.

If you want to compare cryptocoin walletry with social media access, setting up a “hot wallet” is a bit like deliberately logging into your Twitter and Facebook accounts on someone else’s laptop, going through the necessary authentication processes to grant yourself full access…

…and then going home without logging out, saying to your friend, “Here’s a list of topics to follow and the things I’d like to say if any of them come up. Keep my accounts logged in, watch out in case anything interesting comes up, and chime in with relevant comments in my behalf whenever it does.”

You have to trust your friend completely – both directly (e.g. not to go rogue and start posting uncharitable or offensive comments in your name) and indirectly (e.g. not to get hacked so that intruders can access your accounts remotely).

What next?

Unfortunately, there’s no suggestion, so far, that the crooks who hacked Liquid are now thinking of giving back the funds they’ve just stolen, said in some reports to be worth about $100 million.

Stolen cryptocoins can be hard to turn into regular money, as many cryptocurrency thieves have found in the past.

Most exchanges will track cryptocurrency wallets into which stolen coins were transferred, especially in high-value raids like this one, in an effort to blocklist payouts that might be used to convert the looted funds back into cash, or to launder them into other types of cryptocoin.

But the fact that stolen cryptocoins might not end up enriching the crooks who stole them is cold comfort if those stolen coins were yours…

…in the same way that you would still be left out of pocket if a crook who pickpocketed your wallet simply set fire to the banknotes inside it instead of spending the money on themselves.

What to do?

We’re going to repeat what we said last week, after Poly Networks found its assets drained without warning:

  • If you’re thinking of getting into the cryptocurrency scene, never invest more than you can afford to lose. There are more than 10,000 different cryptocoins currently in existence, many of which were kicked off by cash injections from early investors. Not all cryptocoins can or will follow the Bitcoin pattern of going from a few cents in value in 2010 to $45,000 each in August 2021. Even worse, some “investments” are outright scams in which the “creators” of the cryptocoinage collect startup funds from early investors in what’s known as an ICO (initial coin offering), only to run off without ever establishing the new cryptocurrency at all.
  • If you plan to buy and hold cryptocurrency, keep as much of you can offline in what’s known as a cold wallet. A cold wallet is an encrypted file that you keep where you won’t lose track of it, and where other people can’t use it unless they know your password.

For further discussion and advice, listen to Sophos expert Chester Wisniewski in this week’s podcast, where we discuss the Poly Networks incident and what it says about online trust (the cryptocurrency section starts at 17’13”):

LISTEN NOW

Click-and-drag on the soundwaves to move forward or back. Cryptocurrency segment at 17’13”.
You can also listen directly on Soundcloud.


S3 Ep46: Copyright scams, video snooping and Grand Theft Crypto [Podcast]

[02’45”] Copyright infringement scams that beg you to call.
[09’32”] An IoT bug that could be exploited for video snooping and more.
[17’13”] A hacker steals $600m and then makes a song and dance out of giving it back.
[26’18”] Oh! No! How Doug’s PS5 issues could have been solved back in 2020.

With Paul Ducklin and Chester Wisniewski.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.


Video surveillance network hacked by researchers to hijack footage

Researchers at security company Mandiant have written up a report about a device-hijack bug in a video sharing and surveillance network called Kalay.

Operated by Chinese smart device company ThroughTek, Kalay (which apparently means “handshake” in the Dawu language) is pitched as a cloud-based solution for vendors of home automation devices, including security cameras, smart locks, video doorphones, smart power plugs, and even personal cloud storage hardware such as NAS devices.

According to ThroughTek:

[Kalay c]onnects numerous home automation devices, enabling users to monitor and control their systems based on usage scenarios and daily habits.

More generally, the company says:

[Kalay] enables integration of video surveillance equipment, smart consumer products, and a variety of sensors to allow brand name manufacturers, telecoms providers, system integrators, hardware manufacturers, and other service providers to offer smart solutions that are safer, more convenient, and more flexible for users to enjoy.

As you can see, the idea is that instead of creating their own protocol, setting up their own servers and building their own home automation service, home device makers can build the Kalay software into their own firmware, and use the existing Kalay network so their customers can manage and access the devices.

Tricking your way in

Unfortunately, Mandiant researchers found what amounts to a sort of Manipulator-in-the-Middle (MiTM) attack against the Kalay protocol that could give an attacker a way to hack into devices in someone’s home, including remotely watching video from the victim’s webcams.

Fortunately, the vulnerability, dubbed CVE-2021-28372, can’t be exploited arbitrarily against any product that uses the Kalay system – the attackers first need to know the 20-byte unique identifier assigned to the device they want to snoop on.

According to Mandiant, those UIDs are “provided to a Kalay-enabled client (such as a mobile application) from a web API hosted by the company that markets and sells a device model.”

We’re assuming that the 20 bytes are not entirely random, in the same way that network MAC addresses consist of 3 bytes that are always the same for each device maker plus three bytes that are effectively random.

Nevertheless, with 20 bytes to play with instead of just 6 bytes in a MAC address, there’s plenty of room to have a few bytes that are unique to each vendor followed by far too much randomness to guess at.

Indeed, Mandiant admitted that it “investigated the viability of brute forcing ThroughTek UIDs and found it to be infeasible due to the necessary time and resources.”

However, if an attacker does know the UID of one of your devices – sniffed off your home network by malware and sold on the underweb, perhaps, or inadvertently disclosed in some other way – then a crook can take over simply by pretending to be your device temporarily, and re-registering itself with the Kalay network.

This attack works because a genuine device registers itself with the Kalay network when it’s first set up, using its UID, and gets back authentication credentials that can subsequently be used to access data from that device remotely.

For example, the owner of the device can use those credentials in a mobile app to tell the Kalay network to:

  • Identify the device on the network.
  • Extract a live video feed from it.
  • Relay that live data feed to the authenticated mobile device.

Apparently, say Mandiant researchers, if you know the UID of that device, you can fraudulenty re-register it with the Kalay network, and instead of getting an error, you’ll receive a new set of authentication credentials.

If you then use those new credentials to authenticate your own software to the targeted device in order to request live video, the Kalay network will reach out on its network to locate the UID you specified…

…and the original device will respond and begin transmitting its video feed.

Because you have the right credentials, given that you set them via with your bogus re-registration, then the feed comes back to you, and you can spy on the victim.

(We’re assuming that many other device types can be hacked, hijacked or reconfigured in this way, but stealing a live video feed is perhaps the most dramatically intrusive example.)

Loosely speaking, the bug exists because just knowing the UID of any device – something that’s not meant to be public, but is certainly not sufficient on its own for cryptographic security – is enough to do a fraudulent password reset, without knowing the previous password.

That’s a bit like being able to reset a user’s email password automatically by knowing only their current physical address – not enough to attack everyone, but more than enough to enough to attack someone.

What to do?

The first bit of good news, as we’ve mentioned, is that an attacker needs to figure out the UIDs of the devices on your network first.

The bad news, however, is that it’s hard to know just how widely known your own UIDs might be, given that if an earlier attacker has figured them out, you’ll typically have no way to tell until an attack kicks off.

The second bit of good news is that this bug doesn’t exist in the latest version of ThroughTek’s client-side software development kit (SDK) library, so any device firmware that’s up to date oughtn’t to be at risk, as far as we can tell.

(The buggy software libraries are any versions before 3.1.10. Current versions are 3.3.1.0 and 3.4.2.0.)

The bad news, however, is that it’s hard to know which version of the ThroughTek code is compiled into which versions of each vendor’s firmware, and which firmware version is installed in which devices.

Worse still, it can hard to tell whether a device uses ThroughTek code or not.

Even Mandiant noted that it “was not able to create a comprehensive list of devices using the Kalay platform”, despite reporting this vulnerability to ThroughTek and liaising directly with the company to investigate the issue.

In short, we recommend that:

  1. If you have a device that is hooked up to Kalay, check that the ThroughTek software components compiled into it have a version number of 3.1.10 or later. If you can’t find a way to determine the version number (most devices don’t make it easy to download the firmware and search for version strings yourself), consult the vendor.
  2. If you have a device that uses a back-end cloud network you aren’t sure about, consult the vendor to see if Kalay is involved. If so, then GOTO 1.

What we can’t tell you, given that we don’t have any Kalay-based home devices ourselves, is whether it’s possible to reallocate a UID to devices that you have already bought and installed. (That wouldn’t solve this issue, but would mitigate the extent of your exposure somewhat.)

ThroughTek, according to Mandiant, has more than 80 million connected devices, each making an average of more than 10 connections a month, for a monthly figure of 1.1 billion connections…

…so if you own a device on the Kalay network, please let us know in the comments below if you have any additional advice that might help!

To remain anonymous, just leave the form fields blank.


Copyright scammers turn to phone numbers instead of web links

Copyright scams aren’t new – we’ve written about them many times in recent years.

These scammers often target your Facebook or Instagram account, fraudulently claiming that someone has registered a complaint about content that you’ve posted, such as a photo, and telling you that you need to resolve the issue in order to avoid getting locked out of your account.

The problem with copyright infringement notices is that if they’re genuine, they can’t just be ignored, because social media sites are obliged to try to resolve meaningful copyright complaints when they’re received.

To discourage bogus complaints and reduce harrassment – and if you are a content producer or influencer yourself, with an active blog, video or social media account, you will probably have had many well-meaning but ill-informed complaints in your time – sites such as Facebook, Instagram, Twitter and the like don’t put the complainant directly in touch with you.

The process usually goes something like this:

  • The complainant makes their claim to the service provider concerned. The service provider expects them to give full contact details, in order to discourage anonymous harasssment.
  • If the claim seems to hold water, the service alerts you, without giving your details to the complainant, and invites you to defend or to accept the complaint. (Obviously bogus claims, such as complaints about an images or video content in an article that is all text, shouldn’t go any further.)
  • If the claim is incorrect, you can repudiate it, for example by stating that you took a photo yourself or by showing a licence you acquired for a music clip.
  • If you don’t wish to contest the claim, you are usually expected to remove the allegedly infringing material promptly, and report that you have done so.

In either case, assuming that the service provider considers the case resolved, it’s then closed without the complainant getting to contact you directly, and without you needing to deal directly with the complainant in return.

Ignore at your peril

The idea behind this sort of resolution procedure is obvious.

It avoids lawsuits and protracted (and often expensive) legal wrangling; it maintains the privacy of the alleged infringer and protects them from harrassment by aggressive complainants; and it typically leads to the speedy and effective resolution of genuine copyright issues.

Of course, the flip-side of this approach is that, because it’s intended to resolve the issue quickly without recourse to lawyers and court hearings, it depends upon a prompt and meaningful response.

In other words, if you ignore the complaint, then the service provider will typically resolve it in favour of the complainant, perhaps by blocking access to the offending post or article unilaterally, or deleting it entirely.

Depending on the nature of the alleged infringement, or on how many times you’ve infringed before, the service may also decide to suspend your account temporarily, or even you lock you out of your account altogether until you negotiate your way back in.

Grist to the cybercrime mill

As you can imagine, this type of interaction is ripe for abuse by phishing scammers.

Whether they’re sending you fake emails or instant messages, crooks know that you know that copyright infringements can’t just be ignored, because doing so could end up with you getting locked out of your account.

And if you’ve ever been locked out of a social media account, you’ll know what a palaver it can be to get back in again, not least because you first have to prove to the service provider concerned that you really are the original account holder, which often involves back-and-forth negotiation involving scanned IDs and other personal documents.

So, the crooks figure that many people are more inclined to “click the link” in a copyright infringement notice than in an email pretending to be from their bank or their email provider.

Of course, in many of these scams, the first step is to take you to a fake login page for the service concerned, and ask you to login. (We’ve even seen scams of this sort that ask for the current 2FA login code from your authenticator app, thus greatly reducing your security by pretending to take it seriously.)

The call is free!

Well, this weekend we received a fake DMCA (Digital Millennium Copyright Act – the US law that covers infringements of this sort) “complaint” that took a slightly different approach.

The email was simply written (though fortunately with a few typographical mistakes that we hope you would spot as early warning signs), and offered a link to let you see the original complaint:

Interestingly, the “Read the full text” button goes to a legitimate website in Europe, but instead of presenting a fake login page or other content that would set cybersecurity alarm bells ringing, the crooks apparently deliberately chose a URL that didn’t exist on a site that was otherwise unexceptionable.

So all you see is:

Note that you probably won’t get a warning from your web filter or your DNS provider at this point about a risky site or a dangerous domain name, because the site itself doesn’t serve up any fraudulent content implanted by the crooks.

In this case, the crooks are deliberately avoiding using a “call to action” link that leads to a fake login page or an unlikely domain name, which could easily be blocked by cybersecurity products or even by your browser.

They’ve copied a trick that tech support scammers have been using for years, and that some ransomware scammers have recently adopted, namely giving you a toll-free phone number to call for “help”.

Given that the call is free, and given that phoning up doesn’t directly expose your computer or your browser to fake websites or booby-trapped downloads…

…it feels as though dialling the number ought to be a low-risk option by means of which you can quickly find out whether this is a scam or not.

All we can say is, “Don’t do it!

Never feel bullied, pressurised, lured, seduced or cajoled into contacting someone you don’t know on their say-so.

Remember that the crooks at the other end of the phone line in this case are almost certainly not in the US, even though the contact number is directed via a US tollfree service.

And these scammers take calls like this for a living, so they know every trick in the social engineering book.

The best that can happen if you do call back is that you will reveal nothing about yourself that you didn’t mean to; the worst is that you might just blurt out something you later wish you hadn’t.

What to do?

  • Learn in advance how your online services handle disputes or security issues. Don’t get taken in by warnings you receive by email. Find your own way to the real site and use the service’s own help pages to find out how the service will contact you, and the correct procedure to follow if they do. Forewarned is forearmed.
  • Talk to a friend you can trust who’s already been through a copyright complaint. Each online service does it slightly differently, so it can be challenging the first time you do it for real. Talk to someone who has been there before and you will not only know the right way to respond, but also find it much easier to spot the fraudsters.
  • Never make contact via emailed links or phone numbers. If you need to login to a site such as Instagram for some official purpose, find your own way there, for example via a bookmark you created earlier, or by using the official mobile app. That way, you’ll avoid putting your real password into the wrong site. If you need to call your bank, or any other company you do business with, look up the phone number on previous correspondence that you know came from that company. Links, email addresses and phone numbers in text messages or emails could have come from anyone, and probably did.
  • Never give away information or change account settings because you’re told to. Once you have called a scammer’s phone number, they may “helpfully” guide you towards installing software, changing settings or reading out private details as a prerequisite to “assisting” you. Don’t do it. Find someone you already know and trust instead (e.g. a member of your own IT team from work, or a trusted friend in your own circle) and ask them directly.
  • If one of your friends or family is vulnerable to telephone pressure, make sure they know to call you first to ask for advice, instead of calling numbers they’re confronted with in text messages, emails or on websites.


S3 Ep45: Routers attacked, hacking tool hacked, and betrayers betrayed [Podcast]

[02’31”] Home and small business routers under attack.
[16’22”] A hacking tool favoured by crooks gets hacked.
[23’56”] The Navajo Nation’s selfless cryptographic contribution to America.
[29’43”] A cybercrook gets aggrieved at being ripped off by cybercrooks.
[38’33”] Oh! No! The steaming CEO with the flashing phone.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.


go top