Search This Blog

Showing posts with label Technology. Show all posts

Hacker Steals $100 million Worth of Crypto from Harmony Horizon Bridge


Earlier this week, the Horizon bridge linking Harmony – a Layer-1 PoS blockchain designed for native token ONE – to the Ethereum and Binance Chain ecosystem was exploited, resulting in a loss of nearly $100 million in Ethereum. Fortunately, the BTC bridge remained unaffected and has been shut down to prevent further losses. 

The U.S. crypto startup has notified the FBI and requested to assist with an investigation in identifying the culprit and retrieving stolen assets. 

“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds,” the company posted on Twitter. 

“We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands-on deck as investigations continue. We will keep everyone up-to-date as we investigate this further and obtain more information.”

The attack appears to have taken place over the span of 17 hours, starting at about 7:08 am EST until 7:26 am EST. The value of the first transaction was 4,919 ETH, followed by multiple smaller transactions ranging from 911 to 0.0003 ETH. The last one took place after the bridge had been shut down. 

The hack is the latest in a series of exploits affecting the crypto space. So far, Frax (FRAX), Wrapped Ether (wETH). Aave (AAVE), SushiSwap (SUSHI), Frax Share (FXS), AAG (AAG), Binance USD (BUSD), Dai (DAI), Tether (USDT), Wrapped BTC (wBTC), and USD Coin (USDC) have been stolen from the bridge via this exploit. 

Interestingly, a warning was issued by an independent researcher and blockchain developer Ape Dev back on the 2nd of April. In a series of tweets, the researcher warned that the security of the Horizon bridge hinged on a multisignature — or “multisig” — a wallet that required just two signatures to initiate transactions. The hackers could exploit this loophole to execute a very simple attack by getting 2 of the owners to sign off on transfers worth up to $330million. 

The hack adds to a series of negative news in the crypto space lately. Crypto lenders Celsius and Babel Finance put a freeze on withdrawals after a sharp drop in the value of their assets resulted in a liquidity crunch. Meanwhile, crypto hedge fund Three Arrows Capital could be declared as a defaulter for failing to repay a $660 million loan from brokerage firm Voyager Digital.

Hackers Target Inverse Finance in a Flash Loan Oracle Attack


Inverse Finance, a decentralized autonomous organization (DAO) has suffered a flash loan assault, where hackers stole $1.26 million in Tether (USDT) and Wrapped Bitcoin (WBTC). This comes just two months after the Defi exchange witnessed an exploit where the hackers siphoned $15.6 million in a price oracle manipulation exploit. 

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said. 

Inverse Finance is an Ethereum-based decentralized finance (DeFi) protocol that facilitates the borrowing and lending of cryptos. The latest exploit worked by employing a flash loan attack where hackers take a flash loan from a Defi platform. Subsequently, they pay it back in the same transaction, causing the price of the crypto asset to surge and then quickly withdraw their investments. 

Upon discovering the attack, the defi protocol temporarily paused borrowing and took down DOLA stablecoin from the money market saying that it is investigating the incident, while no user funds were at risk. 

It later confirmed that only the hacker’s deposited collateral was impacted in the incident. In a tweet, the company requested the attackers to return the funds in return for a “generous bounty”. 

The hacker in total secured 99,976 USDT and 53.2 WBTC from the attacks. As soon as the hack was successful, the attackers routed the funds via Tornado Cash, a cryptocurrency mixing or tumbling protocol designed to obscure where funds came from. Coincidentally, the service is popular for money laundering.

It should be noted that the significant rise in Defi which facilitates crypto-denominated lending outside traditional banking, has been a major factor in the increase in stolen funds and frauds. Threat actors have targeted DeFis the most, in yet another warning for those dabbling in this emerging segment of the crypto industry.

“DeFi is one of the most exciting areas of the wider cryptocurrency ecosystem, presenting huge opportunities to entrepreneurs and cryptocurrency users alike,” as per a report by Chainalysis. 

Last year, more stolen funds flowed to DeFi platforms (51 percent) and centralized exchanges received less than 15 percent of the total stolen funds, Chainalysis wrote in its annual Crypto Crime report. “This is likely due to exchanges’ embrace of AML and KYC processes, which threaten the anonymity of cybercriminals,” the report added.

Apple Launches Passkey Feature For Password-less Verification

At WWDC 2022, Apple previewed and announced iPad OS 16, iOS 16, macOS 13, new MacBook Air and Pro, watchOS 9, new M2 chips, and other latest gadgets. With the improved functional features and new gadgets that have been added to these solutions, the aim is to strengthen user privacy and security. In May 2022, Google, Microsoft, and Apple announced to widen assistance for a common password-less sign-in standard developed by the FIDO Alliance, and the World Wide Web Consortium. 

According to the FIDO alliance, these companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use password-less functionality. The widened assistance means that users can automatically get their FIDO login credentials also known as "passkey" for their old and new devices without the need to re sign-up for every account. 

Besides this, the users can also use FIDO verification on their smartphones to log in to applications, websites, or any nearby devices. With Apple's new operating systems and tech, the extended support when practiced will lead to secure browsing in Safari and macOS Ventura, iOS and iPad 16, with passwords. Apple says passkeys are unique digital keys that stay on the device and are never stored on a web server, so hackers can’t leak them or trick users into sharing them. 

Made to replace the need for passwords, passkeys work using Face ID, Touch ID for biometric authentication, and iCloud Keychain to sync with iPad, iphone, Mac, and Apple TV via end-to-end encryption. Apple says "[Safety Check] includes an emergency reset that helps users easily sign out of iCloud on all their other devices, reset privacy permissions, and limit messaging to just the device in their hand. It also helps users understand and manage which people and apps they’ve given access to."

China's Draft Cybersecurity Rules Pose Risks For Financial Firms


Recently, China has come up with a new cybersecurity proposal for financial firms that could create risks to operations of western organizations by making their sensitive and important data vulnerable to hacking, among other things, the cyber researchers’ group noted. 

This latest regulatory proposal comes at a time when a number of western investment banks and asset managers are expanding their business in China, either by setting up wholly-owned firms or by taking a bigger share in existing joint ventures. 

Following the new policy, on April 29, the China Securities Regulatory Commission (CSRC) released the draft Administrative Measures for the Management of Network Security in the Securities and Futures Industry and also offered a month-long public consultation on the proposals. 

According to the draft rules, it will become mandatory for investment banks, asset managers, and futures companies willing to invest in China to share data with CSRC, allow regulator-led testing and help set up a centralized data backup center. 

The draft also states that CSRC could conduct penetration-testing -- a simulated cyber attack against the operational system -- and system scanning on securities, futures, and fund firms. 

"The real risks to firms due to the potentially disruptive nature of penetration testing and the sensitivity of testing results. Testing systems and applications without operational context could create significant disruption to firm operations,” ASIFMA noted. 

The institution has laid out a number of reasons for sharing data with the center, but the cyber researchers’ group is concerned passing on sensitive data will make companies in the sector more vulnerable to "hackers and other bad actors". 

Moreover, a number of international banks and asset managers are also not backing the plan or setting up a centralized data backup center. 

"This not only poses huge risks to all core institutions and operating institutions on an individual basis but also brings significant systemic risks for the sector in China and globally given the inter-connectedness of the global financial sector if the data is compromised or leaked," the ASIFMA letter said. 

However, at present, the government did not set any timeline for the final issuance of the rules or for their implementation.

Google, Apple, Microsoft to Soon Bring Passwordless Sign-Ins for Users


Big tech giant companies including Apple, Google, and even Microsoft announced almost two years ago that the companies will create a passwordless future for all, thus, dismissing the need for passwords for protection and making authentication more secure. 

On the occasion of World Password Day, May 5, these tech giants encourage passwordless sign-ins in every device including mobiles, laptops, and browser platforms such as Chrome, Edge, and Safari browsers; and the Windows and macOS desktops in the coming year. 

Google's Sampath Srinivas who is in charge of the secure authentication said the "passkey will bring us much closer to the passwordless future" as tech giants seek a "common passwordless sign-in standard". 

This new standard for passwordless authentication is created by FIDO (Fast Identity Online) and the World Wide Web Consortium. Passwordless authentication will allow users to have access to their online accounts as usual but using a unique cryptographic token called a passkey will be quicker in the user's sign-in authentication and allow a person to log in without a password. 

Apple Senior Director of platform product marketing Kurt Knight said, "Just as we design our products to be intuitive and capable, we also design them to be private and secure. Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.” 

This new feature will allow apps and websites to offer easy passwordless sign-ins, and security to users across devices and platforms said apple. Also, without password log-ins is expected to be a much safer way, considering that passwords are more prone to malicious activities. Plus, maintaining and remembering passwords is a difficult task for many. 

Microsoft’s vice president for security, compliance, identity, and privacy, Vasu Jakkal, said that "With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows—using a passkey on an Apple device.”

Google's Safety Section Will Show What Android Apps Do With the User Data

Earlier this week, Google rolled out a new Data Safety section for Android apps on Play Store to mention the type of data that is collected and given to third parties. It is the users' right to know why their data is collected and if the developer shares user data with a third party. 

Besides this, users should know how application developers are protecting user data when an app is downloaded. The transparency measure, built in accordance with Apple's Privacy Nutrition Labels, was first announced by Google last year in May 2021. 

The Data safety section will show up against all app listings on the digital storefront, presenting a unified view of what kind of data is getting collected, why it's being collected, and how it'll be used, also mentioning what data is shared with the third parties. Moreover, the labels may also show an app's security practices, for instance, data encryption in transit and if the user can ask for the data to be deleted. 

Additionally, it will validate these practices against security standards like Mobile Application Security Verification Standard (MASVS). The feature will probably be rolled out for all users, app developers can expect a deadline of 20 July 2022 to finalize the work and update the users if there is any change in the apps' functionality or data handling practices. 

Data safety may face similar concerns that Apple did, as the system is built entirely on an honor system, which needs app developers, to be honest, and clear about what they'll do with the data, avoiding listing it as inaccurate labels. 

Since then, Apple said that the company will audit labels for authenticity, and make sure that these labels are dependable and don't give the users fake assurance about security. 

"Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information and that it will mandate them to fix misrepresentations should it identify instances of policy violations," reports The Hacker News.

Hackers Steal NFTs Worth $3M in Bored Ape Yacht Club Heist


Hackers stole non-fungible tokens (NFTs) estimated to be worth $3 million after getting into the Bored Ape Yacht Club's Instagram account and uploading a link to a replica website that tried to capture marks' assets.

The fake post offered a free airdrop – essentially a promotional token giveaway, to customers who clicked the link and connected their MetaMask crypto-asset wallets to the scammer's wallet. Rather than receiving free items, victims had their digital wallets drained. 

Bored Ape Yacht Club tweeted Monday morning in a warning that came too late for some of its members, "It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything,"  

The Bored Ape Yacht Club, or BAYC, is a collection of photographs depicting bored primates in various attitudes and costumes, which can be used as internet profile avatars and sell for hundreds of dollars in crypto coins. 

Miscreants stole four Bored Apes, six Mutant Apes, and three Bored Ape Kennel Club NFTs, as well as "assorted additional NFTs estimated at a total value of $3 million," according to Yuga Labs, the company that launched Bored Ape Yacht Club. 

"We are actively working to establish contact with affected users," a Yuga Labs spokesperson said, adding that its hijacked Instagram account did have two-factor authentication enabled, "and the security practices surrounding the IG account were tight." 

"Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account," the spokesperson stated. 

This is the second time in less than a month that the NFT collection has been hacked. Bored Ape Yacht Club said on March 31 that their Discord server had been compromised. According to security firm PeckShield, a cybercriminal stole one NFT: Mutant Ape Yacht Club #8662 in a previous incident. 

In March, following the launch of the ApeCoin cryptocurrency by the Bored Ape Yacht Club, fraudsters stole around $1.5 million by claiming a huge amount of tokens using NFTs they did not own and obtaining bogus flash loans. Flash loans are given and repaid in a single blockchain transaction, which might take as little as seconds to get and return the funds. These and other recent hacks have raised security concerns about NFT and cryptocurrency technologies.

Docker Servers Targeted by LemonDuck Cryptomining Campaign


LemonDuck botnet operators have launched a large-scale Monero cryptomining campaign targeting Docker APIs on Linux servers. Cryptomining hackers are a persistent danger to Docker systems that aren’t properly shielded or configured, with multiple mass-exploitation efforts recorded in recent years.

The cryptomining malware was first identified in 2019 by researchers from Trend Micro while targeting enterprise networks. Previously, the botnet has targeted Microsoft Exchange servers, Linux machines via SSH brute force attacks, Windows systems susceptible to SMBGhost, and servers running Redis and Hadoop instances. 

Methodology Employed 

The LemonDuck botnet secures access to the exposed Docker APIs and runs a malicious container to fetch a Bash script disguised as a PNG image. 

The script is downloaded from the domain t.m7n0y[.]com, which was observed in other LemonDuck attacks. 

“The “core.png” file acts as a pivot by setting a Linux cronjob inside the container. Next, this cronjob downloads another disguised file “a.asp,” which is actually a Bash file,” Crowdstrikes researchers explained. “The “a.asp” file is the actual payload in this attack. It takes several steps before downloading and starting a mining operation once it is triggered by a cronjob, as follows.” 

The Bash file (a.asp) performs the following actions: 

• Kill processes based on names of known mining pools, competing cryptomining groups, etc. 
• Kill daemons like crond, sshd and syslog. 
• Delete known indicator of compromise (IOC) file paths. 
• Kill network connections to C2s known to belong to competing cryptomining groups. 
• Disable Alibaba Cloud’s monitoring service that protects instances from risky activities. 

Last year in November, cryptomining malware used by unknown attackers was found to disable protective mechanisms in Alibaba Cloud services. After doing the above tasks, the Bash script then downloads and executes the cryptomining program XMRig and a configuration file that hides the actor’s wallets behind proxy pools. 

After the initially infected machine has been set up to mine, Lemon_Duck attempts lateral movement by leveraging SSH keys found on the filesystem. If those are available, the attacker will employ them to carry out a second infection. Hiding the Docker APIs properly on cloud instances is currently the only solution for avoiding LemonDuck crypto-mining attacks.

US Attributes North Korean Lazarus Hackers to Axie Infinity Crypto Theft


The US Treasury Department announced on Thursday that it had linked North Korean hackers to the heist of hundreds of millions of dollars in cryptocurrencies linked to the popular online game Axie Infinity. 

On March 23, digital cash worth about $615 million was stolen, according to Ronin, a blockchain network that enables users to transfer crypto in and out of the game. No one has claimed responsibility for the hack, but the US Treasury announced on Thursday that a digital currency address used by the hackers was under the control of a North Korean hacking group known as "Lazarus." 

The Treasury Department spokesperson stated, using the initials of North Korea’s official name, “The United States is aware that the DPRK has increasingly relied on illicit activities — including cybercrime — to generate revenue for its weapons of mass destruction and ballistic missile programs as it tries to evade robust U.S. and U.N. sanctions.” 

The wallet's users risk being sanctioned by the US, according to the representative. Chainalysis and Elliptic, two blockchain analytics companies, said the designation validated North Korea was behind the break-in. Sky Mavis co-founder Aleksander Larsen, who develops Axie Infinity, declined to comment. Sky Mavis engaged CrowdStrike to investigate the incident, but the firm declined to comment. 

The FBI has ascribed the attack to the Lazarus Group, according to a post on the official Ronin blog, and the US Treasury Department has sanctioned the address that received the stolen money. The Reconnaissance General Bureau, North Korea's primary intelligence bureau, is said to be in charge of the Lazarus hacking squad, according to the US. It has been accused of being involved in the "WannaCry" ransomware attacks, as well as hacking multinational banks and customer accounts and the Sony Pictures Entertainment hacks in 2014. 

Cryptocurrency systems have long been afflicted by hacks. The Ronin hack was one of the most massive cryptocurrency thefts ever. Sky Mavis stated it will refund the money lost using a combination of its own balance sheet capital and $150 million raised from investors including Binance. 

The Ronin blog stated, “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk. Expect the bridge to be deployed by end of month.” 

According to a Treasury spokesperson, the US will consider publishing crypto cybersecurity guidelines to help in the fight against the stolen virtual currency.

FBI: North Korean Hackers Stole $600M+ Worth Cryptocurrency


The FBI accused North Korean government associated hackers of stealing more than $600 million in bitcoin from a video game company last month, the latest in a sequence of sophisticated cyber thefts linked to Pyongyang. 

The FBI said in a statement, "Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th." "DPRK" is an abbreviation for North Korea's official name, the Democratic People's Republic of Korea, and Ethereum is a technology platform linked with a type of cryptocurrency. 

The FBI was referring to the recent hack of Axie Infinity's computer network, which allows gamers to win cryptocurrency. Undiscovered hackers stole the equivalent of about $600 million — estimated at the time of the hack's detection — on March 23 from a "bridge," or network that allows users to transmit cryptocurrency from one blockchain to another, according to Sky Mavis, the business that developed Axie Infinity. 

The US Treasury Department sanctioned Lazarus Group, a large group of hackers suspected of working for the North Korean government, on Thursday. The precise "wallet," or bitcoin address, that was utilised to cash out on the Axie Infinity hack was sanctioned by the Treasury Department.

According to a United Nations panel and outside cybersecurity experts, cyberattacks have been a major source of revenue for the North Korean state for years as its leader, Kim Jong Un, pursued nuclear weapons. North Korea is reported to have fired its first intercontinental ballistic missile in more than four years last month. According to Chainalysis, a company that records digital currency transactions, the Lazarus Group has stolen an estimated $1.75 billion in cryptocurrencies in recent years. 

Ari Redbord, head of legal affairs at TRM Labs, a firm that investigates financial crime said,"A hack of a cryptocurrency business, unlike a retailer, for example, is essentially bank robbery at the speed of the internet and funds North Korea's destabilizing activity and weapons proliferation. As long as they are successful and profitable, they will not stop." 

While much of the focus of cybersecurity analysts has been on Russian hacking in the wake of the Ukraine conflict, suspected North Korean hackers have been far from silent. Last month, Google researchers revealed two separate suspected North Korean cyber attempts aimed at US media and IT businesses, as well as the bitcoin and financial technology industries. Users who are targeted by state-sponsored hackers are notified by Google. 

If a Google user has "any link to being active in Bitcoin or cryptocurrencies" and receives a warning from Google about state-backed hacking, it nearly invariably turns out to be North Korean activity, according to Shane Huntley, who leads Google's Threat Analysis Group.

Further, Huntley told CNN, "It seems to be an ongoing strategy for them to supplement and make money through this activity." 

Indian Crypto Exchanges Disables Deposits Via UPI System


Multiple Indian crypto exchanges have disabled rupee deposits using the Unified Payments Interface (UPI) system, which is the most widely used retail payment method. This comes after the National Payments Corporation of India (NPCI) said last week that it was unaware of any crypto exchange using UPI. 

The Indian government has spent years working on a law to ban or regulate cryptocurrencies, with a ban backed by the central bank over risks to financial stability. However, recently the government has taken a decision to put a tax on the income from cryptocurrency and other digital assets. 

Crypto exchange Wazirx is not offering UPI support. The exchange tweeted on Wednesday, “Currently, UPI is not available,” and advised users to do P2P payments instead, which have zero fees. The platform also added that it has no estimated time limit to address the issue with UPI deposits. Coindcx is also not supporting payments by UPI, saying on Twitter Monday, “UPI is temporarily unavailable.”

Coinswitch Kuber, with over 15 million users went one step ahead and reportedly suspended all INR deposit services, including UPI and bank transfers via NEFT, RTGS, and IMPS. The Nasdaq-listed crypto exchange Coinbase, which recently launched in India, has also disabled all purchase options, including the UPI. 

Last month, multiple reports suggested that Coinbase has begun rolling out UPI and IMPS support for its users in India after users noticed the inclusion of the two payment systems (UPI & IMPS) on Coinbase’s app. The company acknowledged the same at its launch event on 7th April. 

“We are aware of the recent statement published by NPCI regarding the use of UPI by cryptocurrency exchanges. We are committed to working with NPCI and other relevant authorities to ensure we are aligned with local expectations and industry norms,” the exchange clarified. 

An industry source with direct knowledge of the matter said the NPCI was caught between a rock and a hard place when Coinbase claimed to launch with UPI support. “Once the launch of Coinbase happened in India and they announced the usage of UPI as a payment option, NPCI realized it needed to put a clarification out there,” the person said. 

Earlier this month, popular payment service Mobikwik also disabled offering services to crypto exchanges. Meanwhile, crypto exchanges have been declining in India after the 30% tax on crypto income went into effect without allowing loss offsets or deductions on April 1. From July 1st, a 1% tax deducted at source (TDS), will also be applicable on crypto transactions. 

There are no official data available on the size of India's crypto market, but industry experts believe the number of investors ranges from 15 million to 20 million, with a holding of about Rs 40,000 crore ($5.25 billion).

GitHub Brings Auto-Blocking Feature Including API Keys and Tokens

GitHub announced this Monday that it widened its code hosting platform's secret scanning features for GitHub Advanced Security customers to automatically restrict secret leaks. Secret scanning is a premium security feature provided to companies that use GitHub's Advanced Security license. Organizations can use this feature for extra repository scanning. The feature works via matching patterns mentioned by the organization or provided by a service partner or provider. 

Every match is defined as a security alert in the repos' Security tab or to providers if it connects with a provider pattern. The latest feature is called as push protection, it is made to protect against accidental exposure of creds before implementing code to remote repositories. The new feature attaches secret scanning within the developers' workflow and works using 69 token types (API keys, management certificates, access tokens, private creds, secret keys, noticed with a less "false positive" identification rate. 

"With push protection, GitHub will check for high-confidence secrets as developers push code and block the push if a secret is identified. High-confidence secrets have a low positive rate, so security teams can protect their organizations without compromising developer experience," GitHub reports. If the GitHub Enterprise Cloud is able to find a secret before implementing the code, the git push is restricted to let the developers recheck and delete the secrets from the code they tried to shift towards remote repos. 

"GitHub Advanced Security helps secure organizations around the world through its secret scanning, code scanning, and supply chain security capabilities, including Dependabot alerts and Dependabot security updates that are forever free," says the GitHub blog. 

How to enable Push Protection for your company? 

1. Go to GitHub, and find the page of the company. 
2. Under the organization name, open settings. 
3. In the sidebar section, find "Security," open Code security and analysis. 
4. After that, find "GitHub Advanced Security." 
5. Find "Secret Scanning" in push notifications, click enable all. 
6. Finally, click "Automatically enable for private repositories added to secret scanning."

Bored Ape & Other Major NFT Project Discords Hacked by Fraudsters


The Discords of several prominent NFT projects were hacked last week as part of a phishing scheme to mislead members into handing up their digital jpegs. 

In tweets, the Bored Ape Yacht Club, Nyoki, and Shamanz all confirmed Discord hacks. The Discords of NFT projects Doodles and Kaiju Kingz were also attacked, according to screenshots released by independent blockchain investigator Zachxbt. Doodles and Kaiju Kingz both confirmed that they had been hacked on their Discords. 

“Oh no, our dogs are mutating,” read one of the phishing posts posted in the BAYC Discord by a compromised bot viewed by Motherboard.

“MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.” 

The hack's purpose was to get users to click a link to "mint" a phoney NFT by submitting ETH and, in some cases, an NFT to wrap into a token. 

“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised,” the official BAYC Twitter account said early Friday morning. 

“We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.” 

"Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack," the Nyoki’s tweet said. 

On blockchain explorer Etherscan, two wallet addresses have been linked to the hacks and are now dubbed Fake Phishing5519 and Fake Phishing5520. The 5519 wallet, which sent 19.85 ETH to the 5520 wallets, stole at least one Mutant Ape Yacht Club NFT (a BAYC offshoot by developer Yuga Labs) and soon sold it. Early Friday morning, this second wallet delivered 61 ETH ($211,000) to the mixing service Tornado Cash. The wallet's most recent transaction is a transfer of.6 ETH to an inactive wallet, which subsequently sent the same amount to an extremely active wallet with 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and a variety of other tokens. 

This is not the first or last attack on crypto assets on Discord, which, while being a gaming-focused network, serves as a crucial centre for the great majority of projects. Crypto projects already have to deal with hacks that take advantage of smart contract flaws, but the fact that so many of them are also on Discord subjects them to frauds that exploit the power of the platform itself. 

Several high-profile accounts have already fallen prey to schemes that hacked bots responsible for channel-wide announcements and pushed websites in order to steal ETH, NFTs, or wallets.

Ola Finance: Attackers Stole $4.7M in 'Re-Entrancy' Exploit


According to a post-mortem report released by the developers, the decentralised lending platform Ola Finance was exploited for approximately $4.67 million in a "re-entrancy" assault on Thursday. 

Ola runs a decentralised finance (DeFi) platform that spans multiple blockchains, and the hack on Thursday targeted the Fuse network. For financial services such as lending and borrowing, DeFi refers to the use of smart contracts rather than third parties. 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped ether, 26.25 wrapped bitcoin, and 1,240,000.00 FUSE were obtained using Ola's services on the Fuse network. 

At current pricing, all of that is worth more than $4.67 million. The attack took use of a re-entrancy flaw in the ERC677 token standard. Reentrancy is a frequent issue that allows attackers to deceive a smart contract into stealing assets by repeatedly calling a protocol. An authorization for a smart contract address to communicate with a user's wallet address is known as a call. 

The attacker used a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance to execute the initial heist transaction. The attacker avoided a flash loan in subsequent transactions by using funds that had already been stolen, according to the post-mortem study. Voltage is a decentralised trading protocol for the Fuse network that enables for automated trading of DeFi coins. 

Attackers were able to fool Voltage's smart contracts by transferring wrapped assets — which they generated using flash loans, a type of short-term uncollateralized borrowing, asking the smart contract send payments from Voltage to the hacker's addresses The attack, according to Ola Finance, could not be replicated on any of the lending networks it supports. The developers stated, “We will investigate each token’s 'transfer' logic to make sure no problematic token standards are in use.” 

 Meanwhile, Voltage stated it was in contact with third parties to track down the attacker and devise a method to compensate those who had been harmed.

PCI DSS Launches New Version to Tackle Cyber Security Threats

A new variant of the PCI Data Security Standard (PCI DSS) has been posted today by the PCI Security Standards Council (PCI SSC), the global payment security forum. The standard version is 4.0, it offers a baseline of operational and technical needs designed to improve payment security, replacing version 3.2.1 to assist combat surfacing threats and technologies. Besides this, the updates are built for enabling innovative methods to tackle these new threats. 

PCI SCC says these changes were motivated by feedback from the global payments industry over the past three years, including more than 6000 items from over 200 organizations. The latest changes in the PCI DSS v4.0 include the Expansion of Requirement 8 to apply multi-factor authentication (MFA) for all access to the cardholder data scenario. Up-to-date firewall terminology to network security controls, supporting a wider range of tech used to reach the security objectives earlier fulfilled by firewalls. 

 Improved flexibility for enterprises to show how they are incorporating different techniques to meet security objectives. Adding targeted threat analysis enables organizations to decide how frequently they do certain actions best suited for their organization's risk exposure and needs. The present version, v3.2.1, will remain online for two years until March 31, 2024. This will give associated organizations some time to know v4.0 and implement these updates. PCI SCC has also released some supporting documents besides the updated standard in the PCI SSC Document Library. 

It includes the summary of changes from PCI DSS v3.2.1 to v4.0, v4.0 Report on Compliance (ROC) Template, ROC FAQs, and ROC Attestations of Compliance (AOC). Additionally, Self-Assessment Questionnaires (SAQs) will be posted in the future. “The industry has had unprecedented visibility into, and impact on, the development of PCI DSS v4.0. Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard,” said Lance Johnson, executive director of PCI SSC.

Android's March 2022 Security Updates Patch 39 Vulnerabilities


This week Google has announced the release of security patches for 39 vulnerabilities for the March 2022 security update for Android devices. The most sensitive vulnerability is CVE-2021-39708 which gives a remotely exploitable elevation of privilege to malicious actors. This issue was found in the System component. 

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation,” Google notes in its advisory. 

The first set of measures arrives on devices as the 2022-03-01 security patch level and addresses CVE-2021-39708 with 17 other bugs. 

According to the data, 10 security issues have been resolved in the System component in which nine issues were elevation of privilege and one was information disclosure vulnerability. Also, six vulnerabilities were resolved in Framework in which four were elevation of privilege and two denials of service bugs. Further, one security measure was patched in Android runtime (elevation of privilege) and the last was in Media Framework (information disclosure). 

Additionally, On Google Pixel devices, the March 2022 Android security measures also have resolved 21 flaws as part of the 2022-03-05 security patch level. Later addresses all of these vulnerabilities along with 41 other security flaws that hit Kernel components (13 flaws), Pixel (26), Qualcomm components (1), and Qualcomm closed-source components (1). 

The March 2022 security measures with patch level 2022-03-05 are released for the Pixel 3a series, Pixel 4 series, Pixel 4a series, Pixel 5, Pixel 5a, however, the Pixel 6 series update is delayed (again). Additionally, the Pixel-specific new measures introduced additional vulnerabilities in the Pixel software, kernel, and both open and closed-source Qualcomm components, the details of which have been given below. 

Global: Pixel 3a: SP2A.220305.012 Pixel 3a (XL): SP2A.220305.012 Pixel 4: SP2A.220305.012 Pixel 4 (XL): SP2A.220305.012 Pixel 4a: SP2A.220305.012 Pixel 4a (5G): SP2A.220305.012 Pixel 5: SP2A.220305.012 Pixel 5a (5G): SP2A.220305.012 Pixel 6: Waiting Pixel 6 Pro: delayed.

UPI Turns Webless


While UPI has grown in popularity since its inception in 2016, it has yet to reach rural areas where smartphone ownership is low and internet access is spotty. Volumes should increase as more low-cost handsets connect to the UPI system, promoting financial inclusion. 

This could be India's Unified Payments Interface's next great step (UPI). Governor of the Reserve Bank of India Shaktikanta Das introduced UPI123Pay, a digital software that allows users of feature phones to send money, on Tuesday. They will be equipped to do almost everything that smartphone users can on this payment platform, with the exception of scan-and-pay. There is no need for an internet connection. 

All that is required is a feature phone connected to a bank account, and funds can be transmitted to any other UPI user without the usage of a credit card. This should significantly boost the use of India's proprietary platform for cashless transactions. 

UPI transfers have already increased as a result of the pandemic, with over 4.5 billion worth over $8.3 trillion reported in February, up from just over 1.3 billion worth 2.2 trillion two years ago. The tally is expected to rise.

Tesla CEO Musk Issues Warning Regarding the Use of Starlink Terminals in Ukraine


The CEO of the electric vehicle manufacturer Tesla (TSLA) SpaceX chief Elon Musk has issued a warning regarding the future of Starlink satellite broadband service in Ukraine, given the current scenario of uncertainty in the country post the Russian invasion. 
In his warning message on Twitter, Elon Musk wrote there is a high chance of the Starlink satellite internet service being targeted. It is worth noting that internet connectivity in Ukraine plummeted by 20% on 26 February, according to a report from Reuters. "Important warning: Starlink is the only non-Russian communications system still working in some parts of Ukraine, so probability of being targeted is high. Please use with caution," Musk tweeted.  
Elon Musk’s SpaceX activated the Starlink internet service in Ukraine after the country’s minister of digital transformation and first Vice Prime Minister, Mykhailo Fedorov, requested Musk to send Starlink stations because of the Russian invasion had crippled the country’s internet service considerably.  
The terminals resembling home satellite dishes arrived in the country in less than 48 hours. Moreover, the technology is apparently working as advertised, and the Ukrainian government has thanked the Tesla CEO for his assistance.   
However, multiple skeptics claimed that Musk was using the invasion of Ukraine as a publicity stunt. One Twitter user asked if the technology could really be under the threat of a Russian cyberattack. Musk clarified that it did already happen to all Viasat Ukraine user terminals on the first day of the Russian invasion of Ukraine.  
Starlink antennas that resemble home satellite television dishes, are not designed to be used while in motion, and it was not clear what Musk meant by the tweet, Tim Farrar, a consultant in satellite communications, stated. 
Musk's warning comes after John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab project, tweeted last week that Russian President Vladimir Putin controls the “air above” so that users’ uplink transmissions become viable targets for airstrikes.  
Additionally, security researcher Nicholas Weaver from the University of California at Berkeley stated that every Ukrainian citizen using a Starlink device should consider Starlink a “potential giant target.” That’s because if Russia uses a specialized plane aloft, it can easily get detected and target the location, putting the user at high risk.

Google TAG Takes Down Coordinated Influence Operation Spreading Fake Information


Google's Threat Analysis Group (TAG) in its latest published bulletin, provides an outline of the entire “coordinated influence operation” that its staff tracked in January 2022 involving multiple countries. 
According to Google TAG, four YouTube channels, two AdSense accounts, 1 Blogger blog, and 6 domains – used to generate revenue by displaying advertisements – were wiped out in coordinated influence operations linked to Belarus, Moldova, and Ukraine. The campaign "was sharing content in English that was about a variety of topics including US and European current events," threat analysts explained.   

To mitigate the spread of misinformation, Google TAG terminated 3 YouTube channels responsible for uploading content in Arabic that was critical of former Sudanese president Omar al-Bashir and supportive of the 2019 Sudanese coup d’état.   
Additionally, Google TAG also handled a relatively large "influence operation linked to China." Earlier this year in January, threat analysts terminated 4,361 YouTube channels for spreading Chinese spam content. However, some channels uploaded content in both English and Chinese languages concerning China and US foreign events.   
“We terminated 4361 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports,” says Google. 
Furthermore, Google TAG has banned YouTube channels, AdSense accounts, and Play developer accounts belonging to influence campaigns linked to Iraq, Turkey, and Libya's politics and current affairs.   
As the Russian-Ukraine conflict continues to escalate, Google has strengthened the safety measures for those in the region considered to be at higher risk of cyber assaults or attempted account compromise. This includes enabling two-factor authentication (2FA) and promoting the Advanced Protection Program.   
"Threat intel teams continue to look out for and disrupt disinfo campaigns, hacking, and financially motivated abuse, and are working with other companies and relevant government bodies to address these threats.,” Google said on Twitter.  
Last year, Google TAG blocked 3 YouTube channels used by Iranian attackers to publish content in Bosnian and Arabic condemning the actions of the U.S. and the People’s Mujahedin Organization of Iran (PMOI), a militant organization fighting against the official Iranian government.

The Ministry of Finance Proposed to Test Russians Before Buying Cryptocurrencies


On February 18, the Ministry of Finance submitted a bill on the regulation of cryptocurrencies to the government. At the same time, public discussions began. On Monday, February 21, the agency published details of the document on its official website. 

According to the proposal of the Ministry of Finance, the use of digital currencies as a means of payment in Russia will continue to be prohibited. However, the Ministry of Finance suggests leaving cryptocurrencies only as a tool for investment. The bill defined the requirements for exchanges and exchangers that will deal with cryptocurrencies. 

Foreign cryptocurrency exchanges will have to register in Russia in order to obtain a license. The Ministry of Finance proposes to allow transactions with the purchase or sale of cryptocurrencies only if the client is identified. The deposit and withdrawal of cryptocurrencies will be possible only through banks using a bank account. 

Exchanges must inform citizens about the high risks associated with purchasing digital currencies. Citizens will undergo online testing before purchasing cryptocurrencies, which will determine the level of knowledge of the specifics of investing in digital currencies and awareness of possible risks. 

According to the official website of the Ministry of Finance, "with successful testing, citizens can invest up to 600 thousand rubles in digital currencies annually. If the testing is not passed, then the maximum amount of investment will be limited to 50 thousand rubles (about 0.015 bitcoins at the time of writing the news). Qualified investors and legal entities will make transactions without restrictions." 

The agency also proposes to consolidate the definition of digital mining as an activity aimed at obtaining cryptocurrency. The Ministry of Finance noted that they had received proposals from the Bank of Russia on the introduction of a ban on the organization of the issuance and circulation of digital currencies. 

Last week it became known that the Central Bank proposes to ban not only the organization of the issuance of cryptocurrencies and their circulation but also the dissemination of information about them. Also, the Central Bank prohibits banks and other financial market participants from owning private digital currencies. 

In addition, on February 18, the Central Bank proposed to introduce fines of up to one million rubles ($12,700) for the issue of private cryptocurrency. If the bill is adopted, individuals may face fines in the amount of 300 ($3,800) to 500 ($6,300) thousand rubles, and organizations from 700 thousand ($8,800) to one million rubles ($12,700). 

Earlier, CySecurity News reported that the Kremlin and the Russian government have estimated the Russian cryptocurrency market at $214 billion.