Major Cybercrime Gangs Shift From Hacking Banks to Bitcoins
Bitcoin, the world’s most popular cryptocurrency, hit an all-time high of $17,428.42 on Tuesday. Despite it falling to below $16,000 on Wednesday, experts say bitcoin appears destined to soon break the $20,000 mark.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
For a virtual currency that was trading at less than $1,000 at the beginning of the year, the massive rise in value and hype has brought hackers, scammers and other criminals calling (see Cybercriminals Go Cryptocurrency Crazy: 9 Factors).
“Not to perpetrate fear, uncertainty and doubt, but I was told by people I really respect in threat intelligence that there are at least four very advanced threat actor groups who have been attacking banks in recent years, and about a month ago, they just dropped their activities and moved over to bitcoin hacking,” Avivah Litan, vice president and distinguished analyst at Gartner Research, tells Information Security Media Group. “I don’t know if this is going to happen, but they’re definitely setting up for attacks against exchanges and other parts of the cryptocurrency world.”
Security firm Imperva reports that from July to September, distributed denial-of-service attacks against cryptocurrency exchanges increased, accounting for 3.6 percent of all attacks they saw. “DDoS attacks could … be attempted to manipulate bitcoin prices, a tactic attackers have been known to use in the past,” the firm says.
Indeed, in April 2013, former Tokyo-based bitcoin exchange Mt. Gox – then the world’s largest cryptocurrency exchange – blamed a lag in trading on DDoS attackers attempting to force the price of bitcoin to drop.
“Attackers wait until the price of bitcoins reaches a certain value, sell, destabilize the exchange, wait for everybody to panic-sell their bitcoins, wait for the price to drop to a certain amount, then stop the attack and start buying as much as they can,” Mt. Gox wrote.
That was before Mt. Gox went dark in February 2014 when 850,000 of its bitcoins got stolen together with $28 million in cash from its bank accounts (see Feds Indict Russian Over BTC-e Bitcoin Exchange).
Bitcoin Gold Wallet Software Hacked
As with so many things “digital” these days, the foundations of bitcoin and other cryptocurrencies, as well as the exchanges on which they trade and the wallet software in which they’re stored, are not necessarily secure.
Last month, warnings surfaced that software for wallets tied to a new cryptocurrency called “bitcoin gold” had been hacked.
“Please be aware that for approximately 4.5 days, a link on our download page and the file downloads on our GitHub release page have been serving two suspicious files of unknown origin,” the bitcoin gold team warned users on Nov. 26. “Until we know otherwise, all users should presume these files were created with malicious intent – to steal cryptocurrencies and/or user information. The file does not trigger anti-virus/anti-malware software, but do not presume the file is safe.”
The team says that anyone who used an affected file should “take the safest possible course of action or … engage knowledgeable professionals to assist them.”
Bitcoin gold is the second hard fork of bitcoin – following bitcoin cash earlier this year. It was launched in November to address perceived problems with bitcoin, including mining challenges. Bitcoin gold uses a different mining algorithm that can be run on inexpensive equipment using GPUs.
Cryptocurrency mining refers to solving computationally intensive mathematical tasks, which, in the case of bitcoin, are used to verify the blockchain, or public ledger, of transactions. As an incentive, anyone who mines for cryptocurrency has a chance of getting some cryptocurrency back as a reward.
In its early days, bitcoin could also be mined using inexpensive equipment, but that is no longer true; more expensive mining equipment that runs application-specific integrated circuit chips, or ASICs, is now required.
“The only way to participate in bitcoin mining is to buy hardware from one of those manufacturers – the biggest of which is believed to manufacture over 70 percent of the global supply of SHA256 ASICs,” the team behind bitcoin gold said in roadmap documents. “This has led to a situation where one entity can hold the entire network hostage.”
Backdoor Alert: Antminer
The manufacturer referenced by the bitcoin gold team is Chinese venodr Bitmain Technologies, which builds AntMiner mining hardware, which is used by the majority of cryptocurrency miners.
In April, a team of unknown researchers began sounding warnings over dangerous backdoor in the firmware used to run the devices, which attackers could exploit to knock a vast majority of the world’s mining rigs offline.
“Antbleed is a backdoor introduced by Bitmain into the firmware of their bitcoin mining hardware Antminer,” the researchers write on their Antbleed website.
“The firmware checks in with a central service randomly every one to 11 minutes,” the researchers say. “Each check-in transmits the AntMiner serial number, MAC address and IP address. Bitmain can use this check-in data to cross-check against customer sales and delivery records making it personally identifiable. The remote service can then return ‘false’ which will stop the miner from mining.”
The researchers posted a copy of the backdoor code to Pastebin.
Peter Todd, a developer for Bitcoin Core, which is software used to determine which bitcoin blockchain transactions are valid, says the flaws could enable a man-in-the-middle attacker to remotely instruct a majority of the world’s mining hardware to turn off. The backdoor in the open source code was “buried in tens of thousands of lines of undocumented code,” making it tough to spot, at least initially, he says.
This @BITMAINtech backdoor has *no* authentication: any MITM attacker or DNS attacker can activate it, ~70% of hashrate vulnerable.
— Peter Todd (@petertoddbtc) April 26, 2017
Antbleed says all firmware since July 11, 2016, appears to include the backdoor.
“At worst, this firmware backdoor allows Bitmain to shut off a large section of the global hashrate (estimated to be at up to 70 percent of all mining equipment). It can also be used to directly target specific machines or customers,” Antbleed says. “Standard inbound firewall rules will not protect against this because the Antminer makes outbound connections.”
In April, Bitman released updated firmware that removes the backdoor.
The manufacturer tried to defend the flaw by saying it was intended to help device owners keep control of their devices. “This feature was intended to allow the owners of Antminer to remotely shut down their miners that may have been stolen or hijacked by their hosting service provider, and to also provide law enforcement agencies with more tracking information in such cases,” the company says in a blog post. “We never intended to use this feature on any Antminer without authorization from its owner. This is similar to the remote erase or shutdown feature provided by most famous smartphone manufacturers. However, this feature was never completed.”
Bitmain didn’t immediately respond to a request for comment about how many users had updated their devices.
“I think it is a threat still,” Alan Woodward, a professor of computer science at England’s University of Surrey, tells ISMG. “I’m not sure what’s been fixed. You can imagine DoS attacks so that someone could gain 51+ percent of mining capability and thence undermine bitcoin.”
With all of the value now associated with bitcoin, it’s not clear what might happen if someone disrupted the world’s ability to process bitcoins and sent its value crashing.
“As a simple engineer what I don’t understand is what happens if wealth is transferred to bitcoin and it then crashes,” Woodward says. “Does that do harm to the global economy or does the real wealth just get moved?”