EclecticIQ Threat Research Team
August 25, 2022

The Analyst Prompt #16: Monero's Hard Fork Enhances Privacy and May Make It More Attractive to Cybercriminals

Blog

tap-16-2022

New & Noteworthy: Monero Hard Fork Improves Privacy - Bitcoin Will Likely Remain Criminals’ ‘Favorite’

On August 13th, 2022, Monero underwent a hard fork, i.e. a protocol upgrade that introduced several new features to improve user anonymity and performance. [5] EclecticIQ analysts assess that Bitcoin will remain the most popular currency used by cybercriminals [6], but that savvy criminals will switch to Monero and other Anonymity Enhanced Cryptocurrency (AEC). Due to its promise of privacy, the adaption of Monero for criminal activity has been growing in past years. [7, 8, 9]. More threat actors beginning to understand that BTC transactions are more transparent and easier to trace than Monero and other AEC. Yet, countries have banned Monero [10] and many exchanges have delisted it [11, 12], limiting its liquidity, and thus holding it back in terms of value. Furthermore, recent sanctioning of Tornado Cash [13] by the U.S. Treasury Department has created uncertainty and fear in the Monero community that the U.S. government could shut down Monero too.[14]

Monero is considered an Anonymity Enhanced Cryptocurrency as it uses Ring Signatures, Ring Confidential Transactions, and Stealth Addresses to conceal and keep a user's identity anonymous. Ring Confidential Transaction (RingCT) is a technology that encrypts the transaction amount. Only the sender and receiver know the transaction amount.

Ring signature is a technology to protect a user’s privacy in the input side of a transaction, masking sender and the origin of a transaction. To prevent transactions from being linked to the sender, Monero merges the transaction signature of a user with those of other users to create ambiguity in blockchain analysis and make trace-back challenging. In its latest fork, Monero increased the ring size from 11 to 16, meaning more keys are required to complete a transaction ring improving the anonymity sets.

Stealth addresses prevent transactions from being linked to the recipient's public wallet address. In Monero, senders are required to create random one-time addresses for every transaction on behalf of the recipient. This means, no one can know which wallets were used to send and receive money.

The fork also introduced performance upgrades and critical security patches. Monero’s value rose by nearly 6.5% after the community applied a new hard fork to the blockchain. [15]

Threat Actor Updates: LockBit Accuses Entrust of DDoS Attack; If Proven Would Set a New Precedent

LockBit operators accused Entrust of conducting a Denial-of-Service attack against its Tor leak sites, after the group started publishing stolen Entrust data on August 19th. [1]

EclecticIQ analysts note that there is no evidence that Entrust or an affiliated cybersecurity company conducted the attacks and assess its likelihood to be low. Analysts argue that cybersecurity specialists would know that a DDoS attack would only have limited and temporary impact on cybercriminal operations. It would not prevent the release of stolen data. As seen in the current case, LockBit operators “plan to upload all of Entrust's data as a torrent, which will make it almost impossible to take down.” [2] Analysts highlight that a ransomware victim, or cybersecurity firm conducting a DDoS attack (or any other form of offensive actions) would set an unprecedented case and would indicate a paradigm shift.

LockBit operators have claimed responsibility for a ransomware attack on digital security company Entrust that occurred in June 18th, 2022. [3] According to OSINT, the criminals set a deadline for the ransom payment ($8 Million) of August 19th. Chat logs reveal that the ransom dropped to $6,8M. Following failed negotiations, the group started publishing the stolen data on their LockBit ransomware Tor blog on August 19th. [4]

Shortly after the release, the group claimed that it suffered a Denial-of-Service attack against their Tor leak sites. The group posted HTTP logs with messages in the user agent field to delete Entrust's data. At the time of the reporting, LockBit´s blog mirrors were still inaccessible.

Key Infrastructure and Critical Vulnerabilities: Seven Vulnerabilities Added to CISA Known Exploited Vulnerabilities Catalog

On August 18th, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its list of actively exploited vulnerabilities [16]. EclecticIQ strongly recommends patching the vulnerabilities as per vendor instructions, and to incorporate the Known Exploited Vulnerabilities Catalog in its patch management plan for prioritization. The following CVEs have been added [17]:

  • CVE-2017-15944 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
  • CVE-2022-21971 Microsoft Windows Runtime Remote Code Execution Vulnerability
  • CVE-2022-26923 Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
  • CVE-2022-2856 Google Chrome Intents Insufficient Input Validation Vulnerability
  • CVE-2022-32893 Apple iOS and macOS Out-of-Bounds Write Vulnerability
  • CVE-2022-32894 Apple iOS and macOS Out-of-Bounds Write Vulnerability
  • CVE-2022-22536 SAP Multiple Products HTTP Request Smuggling Vulnerability

Except for CVE-2017-15944, no details are available yet about how the vulnerability is being exploited.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

Appendix

  1. vx-underground [@vxunderground], “Lockbit: ‘We’re being DDoS’d because of the Entrust hack’ vx-underground: ‘How do you know it’s because of the Entrust breach?’ Lockbit: https://t.co/HUO2hdTbwz,” Twitter, Aug. 21, 2022. https://twitter.com/vxunderground/status/1561262483448512513 (accessed Aug. 23, 2022). 
  2. “LockBit ransomware blames Entrust for DDoS attacks on leak sites,” BleepingComputer. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/ (accessed Aug. 23, 2022).
  3. “Cybersecurity vendor Entrust tells customers data was stolen during June cyberattack,” TechCrunch. https://social.techcrunch.com/2022/07/27/entrust-data-stolen-june-cyberattack/ (accessed Aug. 23, 2022).
  4. Soufiane Tahiri [@S0ufi4n3], “#Entrust vs #Lockbit is a very curious case.. From the chat log timestamps, the negociations started two months ago (29/06) and for some reason, after offering 1M$ (saving time?), Entrust stopped negociating the 13/07. FYI:Tha initial ransom was 8M$ than dropped to 6,8M$. https://t.co/vJMSW5oxvW,” Twitter, Aug. 22, 2022. https://twitter.com/S0ufi4n3/status/1561644045604192256 (accessed Aug. 23, 2022).
  5. “Monero hard fork makes hackers’ favorite coin even more private,” BleepingComputer. https://www.bleepingcomputer.com/news/security/monero-hard-fork-makes-hackers-favorite-coin-even-more-private/ (accessed Aug. 23, 2022).
  6. “Bitcoin is Criminals’ ‘Favorite’, Used in 95% of Crypto Crimes: Forensic,” CCN.com, Apr. 25, 2019. https://www.ccn.com/bitcoin-is-criminals-favorite-claims-blockchain-forensic-used-in-95-of-crypto-crimes/ (accessed Aug. 21, 2022).
  7. M. Sigalos, “Why some cyber criminals are ditching bitcoin for a cryptocurrency called monero,” CNBC. https://www.cnbc.com/2021/06/13/what-is-monero-new-cryptocurrency-of-choice-for-cyber-criminals.html  (accessed Aug. 21, 2022).
  8. F. Times, “Monero emerges as crypto of choice for cybercriminals,” Ars Technica, Jun. 22, 2021. https://arstechnica.com/information-technology/2021/06/monero-emerges-as-crypto-of-choice-for-cybercriminals/ (accessed Aug. 23, 2022).
  9. “Ransomware actors increasingly demand payment in Monero,” SearchSecurity. https://www.techtarget.com/searchsecurity/news/252512142/Ransomware-actors-increasingly-demand-payment-in-Monero (accessed Aug. 23, 2022).
  10. M. Cavicchioli, “South Korea’s new regulation bans Monero trading,” The Cryptonomist, Feb. 23, 2021. https://en.cryptonomist.ch/2021/02/23/south-koreas-new-regulation-bans-monero-trading/ (accessed Aug. 22, 2022).
  11. C. Shumba, “Crypto exchange Kraken will delist privacy coin monero in the UK, according to an email shared on Reddit,” Markets Insider. https://markets.businessinsider.com/news/currencies/monero-kraken-crypto-exchange-delist-privacy-coin-uk-fca-regulation-2021-11 (accessed Aug. 23, 2022).
  12. “Coinbase explains why it won’t list Monero (XMR),” Invezz, Jul. 27, 2020. https://invezz.com/news/2020/07/27/coinbase-explains-why-it-wont-list-monero-xmr/ (accessed Aug. 23, 2022).
  13. “U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash,” U.S. Department of the Treasury. https://home.treasury.gov/news/press-releases/jy0916 (accessed Aug. 23, 2022).
  14. Namcios, “Now That Authorities Have Sanctioned Tornado Cash, Is Bitcoin Next?,” Bitcoin Magazine - Bitcoin News, Articles and Expert Insights. https://bitcoinmagazine.com/technical/is-bitcoin-next-after-tornado-cash (accessed Aug. 22, 2022).
  15. E. Dunne, “Monero is soaring higher than ever after its recent hard fork,” InsideBitcoins.com, Aug. 21, 2022. https://insidebitcoins.com/news/monero-is-soaring-higher-than-ever-after-its-recent-hard-fork (accessed Aug. 22, 2022).
  16. “CISA Adds Seven Known Exploited Vulnerabilities to Catalog | CISA.” https://www.cisa.gov/uscert/ncas/current-activity/2022/08/18/cisa-adds-seven-known-exploited-vulnerabilities-catalog (accessed Aug. 23, 2022).
  17. “Known Exploited Vulnerabilities Catalog | CISA.” https://www.cisa.gov/known-exploited-vulnerabilities-catalog (accessed Aug. 23, 2022).

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo