Exhume dead cryptocurrency exec who owes us $250 million, creditors demand

Stock photo of a gravedigging machine in front of a headstone.

In late January, the wife of a cryptocurrency-exchange founder testified that her husband inadvertently took at least $137 million of customer assets to the grave when he died without giving anyone the password to his encrypted laptop. Now, outraged investors want to exhume the founder’s body to make sure he’s really dead.

The dubious tale was first reported in February, when the wife of Gerry Cotten, founder the QuadrigaCX cryptocurrency exchange, submitted an affidavit stating he died suddenly while vacationing in India, at the age of 30. The cause: complications of Crohn’s disease, a bowel condition that is rarely fatal. At the time, QuadrigaCX lost control of at least $137 million in customer assets because it was stored on a laptop that—according to the widow’s affidavit—only Cotten knew the password to.

Widow Jennifer Robertson testified that she had neither the password nor the recovery key to the laptop. The laptop, she said, stored the cold wallet—that is, a digital wallet not connected to the Internet—that contained the digital currency belonging to customers of the exchange. In addition to at least $137 million in digital coin belonging to more than 100,000 customers, another $53 was tied up in disputes with third parties, investors reported at the time.

Robertson had testified that she conducted “repeated and diligent searches” for the password but came up empty. She went on to say she hired experts to attempt to decrypt the laptop, but they too failed. One expert profiled Cotten in an attempt to hack the computer, but that attempt also came to nothing.

Questionable Circumstances

On Tuesday, The New York Times reported that the amount exchange clients were unable to access is now calculated to be $250 million. Meanwhile, law enforcement officials in both Canada—where QuadrigaCX is located—and in the United States are investigating potential wrongdoing, and investors are clamoring for proof Cotten is actually dead.

Lawyers representing exchange clients on Friday asked Canadian law enforcement officials to exhume his body and conduct an autopsy “to confirm both its identity and the cause of death,” the NYT said. The letter cited “the questionable circumstances surrounding Mr. Cotten’s death and the significant losses” suffered in the incident. The letter went on to ask that the exhumation and autopsy be completed no later than “spring of 2020, given decomposition concerns.”

Quadriga didn’t disclose Cotten’s death until January 14, in a Facebook post, more than a month after it was said to have occurred. The QuadrigaCX platform went down on January 28, leaving users with no way to withdraw funds they had deposited with the exchange. Clients have taken to social media ever since to claim the death and loss of the password were staged in an attempt to abscond with their digital coin.

Besides an investigation by the Supreme Court of Nova Scotia, the FBI is also conducting an investigation into the company in conjunction with the IRS, the US Attorney for the District of Columbia, and the Justice Department’s Computer Crime and Intellectual Property Section.

One of the investigations have already unearthed circumstances that some may find suspicious. According the NYT, a report from Ernst & Young (an auditing firm hired by the Supreme Court of Nova Scotia), QuadrigaCX didn’t appear to have any “basic corporate records,” including accounting records. More concerning, the report said the exchange had transferred “significant volumes of cryptocurrency” into personal accounts held by Cotten on other exchanges. The report also documented the transfer of “substantial funds” to Cotten personally that had no clear business justification.

How the exhumation and autopsy would lead to the recovery of the missing cryptocurrency is not clear. But they might go a long way to confirming or debunking the claims Cotten died at the time and in the manner disclosed to QuadrigaCX customers.

QuadrigaCX and the case of the missing $250 million is the kind of event that would be unthinkable for most financial institutions. In the frothy and largely unregulated world of cryptocurrencies, such debacles are a regular if not frequent occurrence.

Dexphot malware uses fileless techniques to install cryptominer

Microsoft Corporation yesterday revealed its discovery of a polymorphic malware that uses fileless techniques to execute a cryptomining program on victimized machines.

Dubbed Dexphot, the malware was first observed in October 2018 when Microsoft detected a campaign that “attempted to deploy files that changed every 20 to 30 minutes on thousands of devices,” according to a blog post published yesterday by the Microsoft Defender ATP Research Team. At one point, on June 18, Microsoft saw reports of Dexphot-related malicious behavior in close to 80,000 machines, though that number dropped to under 10,000 by July 19.

Dexphot sports a complex attack chain that relies largely on legitimate processes (aka living off the land) to ultimately execute the payload. According to Microsoft, the process chain involves five files: an installer with two URLs, an MSI package file, a password-protected ZIP archive, a loader DLL, and an encrypted data file with three executables. These executables are loaded via process hollowing, a fileless technique that involves replacing the contents of a legitimate system process with malicious code.

According to Microsoft, Dexphot typically uses SoftwareBundler:Win32/ICLoader and its variants as an early-stage loader to drop and run the Dexphot installer. Additionally, the malware abuses msiexec.exe to install the MSI package file; unzip.exe to extract files from the ZIP archive; rundll32.exe for loading the loader DLL; and svchost.exe, tracert.exe and setup.exe for process hollowing. Other abused legit processes include schtasks.exe and powershell.exe.

The malware is polymorphic in a number of ways, Microsoft explains. The aforementioned MSI package can contain a varying mix of files, file names can differ, the passwords for extracting files can change, and the contents of each loader DLL can vary, as can the data found in the ZIP file. “Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot,” Microsoft states in its blog post.

Often, but not always, the MSI package contains an obfuscated batch file that checks for antivirus products, for an additional defense against detection.

To generate persistence, Dexphot relies on a pair of monitoring services — installed as executables during the process hollowing phase of the infection chain — to ensure that the malware is running smoothly. If any of Dexphot’s processes have been halted, the monitors force a re-infection via a PowerShell command. Dexphot also gains an additional layer of persistence by using schtasks.exe to set up scheduled tasks that routinely update the malware components.

“Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time,” Microsoft concludes in its report. “Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers – yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.

The post Dexphot malware uses fileless techniques to install cryptominer appeared first on SC Media.

Stantinko botnet’s monetization strategy shifts to cryptomining

The versatile Stantinko botnet that’s been targeting former Soviet nations since at least 2012 has added a Monero cryptomining module to its arsenal.

Stantinko historically has perpetrated click fraud, ad injections, social network fraud and brute-force password stealing attacks, primarily targeting Russia, Ukraine, Belarus and Kazakhstan. But this latest module, discovered by researchers at ESET, has been a major source of Stantinko’s monetization since at least August 2018, ESET malware analyst Vladislav Hrcka notes in a Nov. 26 company blog post.

Described by ESET as a “highly modified version of the xmr-stark open source cryptominer,” Stantinko’s mining module, dubbed CoinMiner.Stantinko, is so powerful that it can “exhaust most of the resources of the compromised machine.”

CoinMiner.Stantinko is divided into four parts. The main component performs he actual mining, while the remaining parts are designed to, respectively, kill the functionalities of previously installed miners, detect security software and suspend mining activity if battery is low or the task manager utility is detected.

Instead of directly communicating with its mining pool, CoinMiner.Stantinko uses proxies with IP addresses that are derived from the description texts, of YouTube videos, ESET reports. The module finds these videos after receiving a video identifier in the form of a command-line parameter. (In earlier versions the video URL was hard-coded into the module.)

Communication with the proxies is encrypted by RC4 and takes places over TCP, the blog post continues. At the start of this communication, the code of the CryptoNight R. hashing algorithm is downloaded from the proxy and loaded into memory.

“Downloading the hashing code with each execution enables the Stantinko group to change this code on the fly. This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution,” Hrcka explains. “The main benefit of downloading the core part of the module from a remote server and loading it directly into memory is that this part of the code is never stored on disk.”

According to ESET, YouTube removed the offending channels after it was alerted to the scam.

To remain stealthy and avoid detection, the actors behind CoinMiner.Stantinko removed certain strings and functions and heavily obfuscated the remainder. ESET notes that the module’s use of advanced obfuscation techniques is its most prominent feature.

“Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control,” Hrcka concludes. “This remotely configured cryptomining module, distributed since at least August of 2018 and still active at the time of writing, shows this group continues to innovate and extend its money-making capabilities.”

The post Stantinko botnet’s monetization strategy shifts to cryptomining appeared first on SC Media.

Judge allows suit against AT&T after $24 million cryptocurrency theft

An AT&T store in New Jersey.

Enlarge / An AT&T store in New Jersey.
Michael Brochstein/SOPA Images/LightRocket via Getty Images

When Michael Terpin’s smartphone suddenly stopped working in June 2017, he knew it wasn’t a good sign. He called his cellular provider, AT&T, and learned that a hacker had gained control of his phone number.

The stakes were high because Terpin is a wealthy and prominent cryptocurrency investor. Terpin says the hackers gained control of his Skype account and tricked a client into sending a cryptocurrency payment to the hackers instead of to Terpin.

After the attack, Terpin asked AT&T to escalate the security protections on his phone number. According to Terpin, AT&T agreed to set up a six-digit passcode that must be entered before anyone could transfer Terpin’s phone number.

But the new security measures didn’t work. In January 2018, “an AT&T store cooperated with an imposter committing SIM swap fraud,” Terpin alleged in his August 2018 lawsuit against AT&T. The thieves “gained control over Mr. Terpin’s accounts and stole nearly $24 million worth of cryptocurrency from him.”

Terpin sued AT&T, seeking at least $24 million in actual damage and millions more in punitive damages. Terpin also asked the court to void terms in AT&T’s customer agreement that disclaim liability for security problems—even in cases of negligence by AT&T. Terpin argued that these boilerplate terms are unconscionable because customers never have an opportunity to negotiate them.

But AT&T asked the judge to dismiss the case, arguing that Terpin didn’t adequately explain how the phone hack led to the loss of his cryptocurrency. Terpin’s lawsuit provided no details about how Terpin had stored his cryptocurrency, how the hackers had gained access to it, or if they might have been able to carry out a similar attack without control of Terpin’s phone number. In any event, AT&T argued that it shouldn’t be held responsible for the misconduct of the hackers who actually carried out the theft of cryptocurrency.

A mixed ruling

On Thursday, Judge Otis Wright—a man we once depicted as a hulking green giant preparing to smash the copyright trolls at Prenda Law—issued a ruling that provided some reason for each side to celebrate.

Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin’s claimed $24 million loss.

However, Wright dismissed the claims with “leave to amend,” meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible.

At the same time, Wright allowed the case to move forward with Terpin’s arguments against AT&T’s one-sided customer agreement. Wright hasn’t yet voided the terms, but he found Terpin’s arguments on the issue plausible enough to let the case continue.

“We are pleased the court dismissed most of the claims,” AT&T said in an emailed statement. “The plaintiff will have the opportunity to re-plead but we will continue to vigorously contest his claims.”

This kind of phone hacking incident is of particular concern in the cryptocurrency world because of the non-reversibility of most virtual currencies. If a hacker steals funds from a conventional bank account, a fast-acting victim can usually get the transaction reversed and the funds restored. By contrast, if a hacker steals someone’s bitcoins, they’re likely to be gone permanently, since no one has the authority to cancel transactions once they’re committed to the blockchain.

As a result, cryptocurrency is much more of a “user beware” world than the conventional banking system. If you own a significant amount of cryptocurrency—and especially if you’re publicly known to have a significant amount of cryptocurrency—then it’s wise to store it in a way that doesn’t depend on the security of your phone number.

This Week in Security News: Consumer Data and Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn what security issues and critical threats will impact consumer data this year. Also, learn about a malicious Adobe app targeting macOS systems.

Read on: 

Keys to Safeguarding Consumer Data in 2019

Trend Micro reports that there are certain security issues which will specifically impact consumer data, including phishing and fraud attacks. 

Linksys Partners with Trend Micro for Network Protection on Velop Wi-Fi Systems

Linksys and Trend Micro have partnered to deliver a security solution for home networks to give families an added layer of digital projection.

Collaborating with Law Enforcement to Tackle the Scourge of ATM Attacks

Trend Micro contributed to a new Europol report detailing guidelines on logical ATM attacks, in support of ongoing efforts by both law enforcement and the financial industry to stop ATM abuse. 

Report: Over 59,000 GDPR Data Breach Notifications, But Only 91 Fines

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

MacOS Malware Poses as Adobe Zii, Steals Credit Card Info and Mines Monero Cryptocurrency

Trend Micro found a malicious app posing as Adobe Zii (a tool used to crack Adobe products) targeting macOS systems to mine cryptocurrency and steal credit card information. 

Auto Engineers Warn Your Car Might be Easier to Hack Than You Think

As auto makers roll out more sophisticated features, the upgrades are also making cars more vulnerable to cyberattacks, according to a new report from the Ponemon Institute.

Managing Digital Footprints and Data Privacy

A massive data dump involving more than two billion user credentials was reported earlier this year. The ramifications of this dump is just the beginning for many of those whose data are included. 

Just Two Hacker Groups are Behind 60% of Stolen Cryptocurrency

A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.

EU Orders Recall of Children’s Smartwatch Over Severe Privacy Concerns

For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children’s smartwatch produced by German electronics vendor ENOX.

Do you agree phishing and fraud attacks will be the main threats impacting consumer data in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Consumer Data and Malware appeared first on .