EclecticIQ

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Threat Intel for Cryptocurrency, NSO Group Rebranding, and a Distillation of Pwnkit Intel.

Recently we have been busy crafting potential cryptocurrency threat intelligence use cases as attacks continue pouring in. Top-tier mobile exploits and the companies that pass them along are also top of mind, and lastly we thought it prudent to provide some succinct info on the PwnKit vulnerability to aid recovery.

EclecticIQ Threat Research Team February 9, 2022

Policy and Governance: Making a Case for Cryptocurrency Threat Intelligence

In late January, Blockchain Bridge Wormhole, a Fintech organization in the Decentralized Finance (DeFi) space that provides 3rd party services to support six blockchains, suffered the second-highest loss (to Poly Network) of cryptocurrency assets so far (1). Threat actors exploited a Boolean logic fallacy in code used in a proprietary approval protocol for cross-chain transactions, enabling theft of around $320M in assets. The code-based vulnerability becomes apparent only after reverse engineering and triaging the transaction protocol. Threat actors are flocking to Fintech. The amount of stolen crypto assets in 2021 reached between $2.3-4.5 billion (2). This represents a 1330% increase from 2020, and the 2020 total represents a 335% increase over the total stolen from DeFi platforms in 2019. Risks and solutions are better discerned by analyzing attack patterns and the types of threat actors beginning to establish over the past two years.

EclecticIQ analysts and other threat intelligence organizations are taking notice of important and rapidly growing niches regarding threat intelligence applications in the DeFi space (3). Existing standards including the Diamond model and the Kill-Chain can be leveraged with open-source data and tooling from existing Cyber Threat Intelligence to produce a strong foundation for analysis, and to develop and illuminate new DeFi security use cases. There are already some highly relevant and consistent intelligence feeds which provide valuable data on cryptocurrency transactions (bitcoinabuse.com, whale-alert.io). Government and Financial policy makers as well as developers and executives in Fintech will find it increasingly useful to highlight common attack patterns, describe threat actors and associate their activity to aid attribution and understand how risk in the DeFi space changes.

Threat Actor Update: NSO Group May Rebrand, But Copycats Will Persist, Morph, and Proliferate

The NSO Group, the Israeli tech company behind the Pegasus spyware, is likely to sell and rebrand under new ownership (4). Even with a rebranding, EclecticIQ analysts assess the group is very likely to persist in developing further zero-day exploits for mobile platforms. Ubiquitous cell phone use can provide a wealth of detailed, on-demand, targeted intelligence, which is highly valuable and thus potentially highly lucrative. Other organizations in the same grey space of high-end 3rd party exploitation retail already exist and have developed further leading mobile exploits (5). The details of NSO Groups tooling, reported by CitizenLabs and recent publicization is not likely to stop the wider private espionage industry from persisting and succeeding unless wider action is taken against the sector.

The best defense for overly invasive and possibly illegal mobile surveillance is to hold companies accountable by at least bringing formal charges to the individuals central to the direction and development of the company, as the US does with ransomware cybercriminals (6). This at the very least can restrict the assets and movements of key individuals. Barring that, individuals’ next best option is to seek out mobile communication applications that hold high standards of encryption and lowest possible data retention. This will provide better, but not complete protection from new zero-days and potentially narrow impact.

New and Noteworthy: PwnKit Requires Initial Access to the Network

PwnKit, first disclosed 18th November 2021 by Qualys’ researchers and effective since May 2009, affects Unix and is tracked as CVE-2021-4034 with a severity score of 7.8. PwnKit is a local privilege escalation vulnerability leading to arbitrary code execution. The vulnerability resides in the PKEXEC command of POLKIT, which leads to a memory corruption flaw when null data is passed to it (7). The vulnerability will allow escalation to full Root privileges on default installation most of the popular Linux flavors.

Proof of concepts have been released publicly. Potential threats can be hunted by looking in logs for unexpected environmental variables running under POLKIT or a null value is present for the SHELL variable within the program. Looking for new unexpected processes spun up as a root user after suspicious connections to the internal network may also provide incident-response leads. Removing the command option is a temporary workaround, but subsequent reliant processes are likely to break. Overall threat risk is moderate because it is not remotely accessible.

Appendix

  1. https://blockworks.co/in-second-largest-defi-hack-ever-blockchain-bridge-loses-320m-ether/, https://www.reddit.com/r/ethereum/comments/sj68rz/heres_how_98k_eth_was_stolen_on_solana_explained/
  2. https://www.comparitech.com/crypto/biggest-cryptocurrency-heists/
  3. https://threatconnect.com/blog/its-time-to-make-crypto-assets-first-class-citizens-in-threat-intelligence/
  4. https://www.ft.com/content/b4ad167b-cb3a-4e0b-a6a0-bb2608679721
  5. https://www.ibtimes.co.uk/gamma-international-leaked-data-confirms-uk-spyware-export-bahrain-1460291,
    https://www.timesofisrael.com/second-israeli-company-exploited-apple-flaw-to-hack-into-iphones-report/
  6. https://www.nytimes.com/2021/11/08/us/politics/justice-dept-ransomware.html
  7. https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2024 EclecticIQ B.V.
EclecticIQ. Intelligence, Automation, Collaboration.
Get demo