Tactics, Techniques, And Procedures Executed in Collaboration Between Jump Crypto and Oasis Networks to Hack Their Own Protocol
The series of tactics, techniques, and procedures involved relies on the fact that a threat actor with access to assets from the Wormhole Bridge cyberattack in February 2022 recently transferred them into Oasis wallets in a possible consolidation or mixing move. The threat actor additionally gave permissions to an automated smart contract, which appears as normal behavior enabling additional functionality. (1) That one contract was vulnerable to collusion by Oasis and Jump. The primary multisig protocol of Jump was modified in a significant manner to take control of the stolen funds.
The two agencies were able to create another primary signing authority with access to the vault controlling the funds of the threat actor by temporarily modifying the code inside the automated contract attached to the threat actor’s Oasis wallet. A vault in Decentralized Finance is a pooling of many individuals’ funds into an automatic compounding strategy. Two new smart contracts were deployed to initiate the transfer of funds from the targeted vault. Because of the way the decentralized finance protocol was oriented and because of the large amount involved, the new sending smart contract required 78.3M DAI (Ethereum Stablecoin) to close out loans initiated via the newly created smart contracts and transfer stolen funds into a new vault. The agencies burned almost $80M to end up with a net recovery of approximately $140M from the original $225M cyberattack on Wormhole Bridge. The altered code was changed back to its original state within hours.
BlackLotus is The First Publicly-Observed Malware to Bypass Secure Boot Within UEFI
The malware uses CVE-2022-21894 on Windows 11 patched in January 2022 by Microsoft. Like a rootkit, the new malware family contains code able to subvert the normal system boot protocol, loading before the operating system and in doing so, gains widespread access to the target system. The malware still requires an initial delivery vector, like a phishing email, for successful infection.(2)
Unified Extensible Firmware Interface (UEFI) is a specification within a computer for a software program that connects firmware to its corresponding operating system. Secure Boot is a further mechanism to validate firmware and software running on Windows machines. (3) Rootkits (bootkits, bootloaders) and other malicious firmware-targeting malware is not common, and is associated with advanced threat groups. This class of malware is most beneficial for the targeting of individuals, because development and operation require more advanced skill.
BlackLotus was observed advertised as malware-as-a-service on a relatively popular forum, and thus enters a large market for commodity malware, making it much more widely available. The greatest risk is the potential pairing of this capability with further malware designed for targeted personally identifiable information collection, malware designed for financial gain, and generally helping less skilled threat actors execute cyberattacks with higher impact. Similar and related capabilities have been reported since at least 2017, (4) and CosmicStrand -a malware family also able to subvert UEFI through Patch Guard- was described this past summer 2022. (5)
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
Please refer to our support page for guidance on how to access the feeds.
You might also be interested in:
Multi-Year Spearphishing Campaign Targets the Maritime Industry Likely for Financial Gain
Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon
ESXi Ransomware Updates Counter Recovery Script; Killnet Targets Airports and Hospitals
Appendix
- https://www.blockworksresearch.com/research/we-do-a-little-counter-exploit#the-counter-exploit-mechanics/
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
- https://www.techtarget.com/whatis/definition/Unified-Extensible-Firmware-Interface-UEFI
- https://bbs.360.cn/thread-14959110-1-1.html
- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/