Policy and Governance: Making a Case for Cryptocurrency Threat Intelligence
In late January, Blockchain Bridge Wormhole, a Fintech organization in the Decentralized Finance (DeFi) space that provides 3rd party services to support six blockchains, suffered the second-highest loss (to Poly Network) of cryptocurrency assets so far (1). Threat actors exploited a Boolean logic fallacy in code used in a proprietary approval protocol for cross-chain transactions, enabling theft of around $320M in assets. The code-based vulnerability becomes apparent only after reverse engineering and triaging the transaction protocol. Threat actors are flocking to Fintech. The amount of stolen crypto assets in 2021 reached between $2.3-4.5 billion (2). This represents a 1330% increase from 2020, and the 2020 total represents a 335% increase over the total stolen from DeFi platforms in 2019. Risks and solutions are better discerned by analyzing attack patterns and the types of threat actors beginning to establish over the past two years.
EclecticIQ analysts and other threat intelligence organizations are taking notice of important and rapidly growing niches regarding threat intelligence applications in the DeFi space (3). Existing standards including the Diamond model and the Kill-Chain can be leveraged with open-source data and tooling from existing Cyber Threat Intelligence to produce a strong foundation for analysis, and to develop and illuminate new DeFi security use cases. There are already some highly relevant and consistent intelligence feeds which provide valuable data on cryptocurrency transactions (bitcoinabuse.com, whale-alert.io). Government and Financial policy makers as well as developers and executives in Fintech will find it increasingly useful to highlight common attack patterns, describe threat actors and associate their activity to aid attribution and understand how risk in the DeFi space changes.
Threat Actor Update: NSO Group May Rebrand, But Copycats Will Persist, Morph, and Proliferate
The NSO Group, the Israeli tech company behind the Pegasus spyware, is likely to sell and rebrand under new ownership (4). Even with a rebranding, EclecticIQ analysts assess the group is very likely to persist in developing further zero-day exploits for mobile platforms. Ubiquitous cell phone use can provide a wealth of detailed, on-demand, targeted intelligence, which is highly valuable and thus potentially highly lucrative. Other organizations in the same grey space of high-end 3rd party exploitation retail already exist and have developed further leading mobile exploits (5). The details of NSO Groups tooling, reported by CitizenLabs and recent publicization is not likely to stop the wider private espionage industry from persisting and succeeding unless wider action is taken against the sector.
The best defense for overly invasive and possibly illegal mobile surveillance is to hold companies accountable by at least bringing formal charges to the individuals central to the direction and development of the company, as the US does with ransomware cybercriminals (6). This at the very least can restrict the assets and movements of key individuals. Barring that, individuals’ next best option is to seek out mobile communication applications that hold high standards of encryption and lowest possible data retention. This will provide better, but not complete protection from new zero-days and potentially narrow impact.
New and Noteworthy: PwnKit Requires Initial Access to the Network
PwnKit, first disclosed 18th November 2021 by Qualys’ researchers and effective since May 2009, affects Unix and is tracked as CVE-2021-4034 with a severity score of 7.8. PwnKit is a local privilege escalation vulnerability leading to arbitrary code execution. The vulnerability resides in the PKEXEC command of POLKIT, which leads to a memory corruption flaw when null data is passed to it (7). The vulnerability will allow escalation to full Root privileges on default installation most of the popular Linux flavors.
Proof of concepts have been released publicly. Potential threats can be hunted by looking in logs for unexpected environmental variables running under POLKIT or a null value is present for the SHELL variable within the program. Looking for new unexpected processes spun up as a root user after suspicious connections to the internal network may also provide incident-response leads. Removing the command option is a temporary workaround, but subsequent reliant processes are likely to break. Overall threat risk is moderate because it is not remotely accessible.
- https://blockworks.co/in-second-largest-defi-hack-ever-blockchain-bridge-loses-320m-ether/, https://www.reddit.com/r/ethereum/comments/sj68rz/heres_how_98k_eth_was_stolen_on_solana_explained/
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
You may also download the content as eiq_json, stix1_2, stix2_1.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at firstname.lastname@example.org.