image
QuadrigaCX, the largest bitcoin exchange in Canada, has claimed to have lost CAD 190 million (nearly USD 145 million) worth of cryptocurrency after the exchange lost access to its cold (offline) storage wallets. Reason? Unfortunately, the only person with access to the company’s offline wallet, founder of the cryptocurrency exchange, is dead. Following the sudden death of Gerry Cotten, founder and chief executive officer QuadrigaCX, the Canadian exchange this week filed for legal protection from creditors in the Nova Scotia Supreme Court until it locates and secures access to the lost funds. In a sworn affidavit filed by Cotten's widow Jennifer Robertson and obtained by Coindesk, Robertson said QuadrigaCX owes its customers some CAD 260 million (USD 198 Million) in both cryptocurrencies, including Bitcoin, Bitcoin Cash, Litecoin, and Ethereum, as well as fiat money. However, Robertson said the cryptocurrency exchange only has smaller amount in a ‘hot wallet' (USD 286,000), claiming that to protect its users funds from hackers, majority of coins were kept in a ‘cold wallet'—a physical device that is not connected to the internet—by Cotten, who died of Crohn's disease on December 9 in Jaipur, India. According to the affidavit, the exchange's offline wallet holds roughly: 26,500 Bitcoin (USD 92.3 million) 11,000 Bitcoin Cash (USD 1.3 million) 11,000 Bitcoin Cash SV (USD 707,000) 35,000 Bitcoin Gold (USD 352,000) 200,000 Litecoin (USD 6.5 million) 430,000 Ether (USD 46 million) Cotten was the only person who had the private keys to the wallet, according to Robertson, and no other members of the team, including herself, has the password to decrypt it. “For the past weeks, we have worked extensively to address our liquidity issues, which include attempting to locate and secure our very significant cryptocurrency reserves held in cold wallets, and that are required to satisfy customer cryptocurrency balances on deposit, as well as sourcing a financial institution to accept the bank drafts that are to be transferred to us. Unfortunately, these efforts have not been successful,” reads a message posted on the QuadrigaCX website, which is down. Exit Scam? Researchers Believe QuadrigaCX Never Had $100 Million Some users and researchers have been doubtful of the exchange's claims, with a leading cryptocurrency researcher, claiming that QuadrigaCX never had access to such a pool of funds and probably lying about having cold wallet reserves, suggesting the incident could be an exit scam. Crypto Medication, a researcher and data analyzer, performed in-depth blockchain analysis of the QuadrigaCX's Bitcoin Holdings by examining TX IDs, addresses, and coin movements, and concluded that “there is no identifiable cold wallet reserves for QuadrigaCX.” “The number of bitcoins in QuadrigaCX’s possession is substantially less than what was reported in Jennifer Robertson’s affidavit, submitted to the Canadian courts on January 31st, 2019,” the researcher wrote. “At least some of the delays in delivering crypto withdrawals to customers were due to the fact that QuadrigaCX simply did not have the funds on hand at the time. In some cases, QuadrigaCX was forced to wait for enough customer deposits to be made on the exchange before processing crypto withdrawal requests by their customers.” Some other people are also reporting that moving of some of the funds in question after the case was publicized and the strange circumstances of Cotten's death suggest that his death is either faked or the pretext for an exit scam by parties with access to the funds, according to CCN. “The people trying to pull off a QuadrigaCX exit scam could actually be the family and other employees, by hiding the fact that the cold wallet keys are known,” bitcoin analyst Peter Todd said. “Not saying this is happening, but need to consider all possibilities fairly in the investigation.” A bankruptcy hearing for the cryptocurrency exchange is scheduled for February 5 at Nova Scotia Supreme Court, with international accounting firm Ernst and Young Inc. to be appointed as an independent monitor. However, if the exchange has indeed placed its cryptocurrency in a now-inaccessible physical device, it is likely that thousands of its users would never be able to recover their funds and investments. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

QuadrigaCX, the largest bitcoin exchange in Canada, has claimed to have lost CAD 190 million (nearly USD 145 million) worth of cryptocurrency after the exchange lost access to its cold (offline) storage wallets.

Reason? Unfortunately, the only person with access to the company’s offline wallet, founder of the cryptocurrency exchange, is dead.

Following the sudden death of Gerry Cotten,

Source

image
Researchers say they have identified the threat actor behind the massive “Collection #1” data dump which exposed hundreds of millions of credentials on a hacking forum in January. Recorded Future researchers said this weekend that an individual using the monikor “C0rpz” has claimed as early as Jan. 7 to be the original creator and seller of the Collection #1 data. The original database of breached emails – totaling 773 million unique email addresses –was discovered a popular underground hacking forum on Jan. 17. Multiple threat actors came forth after the data dump claiming to be the main seller of the compromised credentials – including a threat actor called “Clorox” as well as a forum member, “Sanix,” who was reportedly re-selling the credentials. However, due to the timeline of these claims, researchers assess with “moderate confidence” that C0rpz is the true main distributor who assembled and sold the massive trove of data. “Sanix was the individual identified by Brian Krebs… and our analysis confirmed that this is the same individual who attempted to sell the database originally created by C0rpz,” researchers said. “Sanix has since been banned from the forum, and C0rpz has posted links to MEGA sharing Collection #1 free of charge to the community.” In addition to “C0rpz,” researchers pointed to another actor from a “well-known Russian hacking forum,” who was also observed sharing a large database of 100 billion user accounts, which possibly has some of the same data sets found in Collection #1. The actor on posted both a (peer-to-peer) magnet link and a direct download link to a database containing 100 billion user accounts hosted on a personal website on Jan. 10. “The following week, the actor made clear that the data dump referenced in Troy Hunt’s article was included in their dump as well,” researchers said. Massive Data Dump Troy Hunt was first alerted to the cache, which totals 87 GB of data, in January after it was spotted being hosted on the MEGA cloud service. The data, which has since been removed, was organized into 12,000 separate files under a root folder called “Collection #1” – which is how it got its name. But as it turns out, Collection #1 was only a fraction of a larger amount of leaked credentials. Last week, researchers at the Hasso Plattner Institute in Potsdam, Germany discovered another new trove of stolen data equaling 845 GB and 25 billion records in all (611 million credentials after de-duping). The latest data dump, dubbed #Collection #2-5″ contained roughly three times as many unique records as Collection #1. In fact, in all the entire set of compromised credentials totaled 993.53 GB of data, including addresses, cell phone numbers, and passwords, and are made up of the following sets: “ANTIPUBLIC #1” (102.04 GB) “AP MYR & ZABUGOR #2” (19.49 GB) “Collection #1” (87.18 GB) “Collection #2” (528.50 GB) “Collection #3” (37.18 GB) “Collection #4” (178.58 GB) “Collection #5” (40.56 GB) Moving forward, researchers warned that the impact of this massive trove of data will continue to be felt, and urged potential victims to reset their passwords. “Recorded Future assesses with high confidence that the database Collection #1 and its variations will continue to be shared among dark web communities and incorporated in credential-stuffing attacks from various threat actors,” according to researchers. For impacted victims, the massive seven-database dump on the Dark Web could be used for credential stuffing attacks or phishing attacks targeting exposed email addresses and phone numbers, researchers said. “The emails and associated passwords were, unfortunately, made readily available to cybercriminals, who can now wreak havoc on the daily lives of the victims,” Terry Ray, senior vice president and Imperva said in an email. “Armed with the recent and past credentials, hackers could access consumers data, troll social media platforms to spread propaganda, cash in on hard earn airline miles, sell contact data for spammers and even access bank accounts.” Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Source

image
Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers. Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been downloaded more than 4 million times before Google removed them from its app store. The mobile apps in question disguised as photo editing and beauty apps purporting to use your mobile phone's camera to take better pictures or beautify the snaps you shoot, but were found including code that performs malicious activities on their users' smartphone. Three of the rogue apps—Pro Camera Beauty, Cartoon Art Photo and Emoji Camera—have been downloaded more than a million times each, with Artistic Effect Filter being installed over 500,000 times and another seven apps in the list over 100,000 times. Once installed, some of these apps would push full-screen advertisements on victim's device for fraudulent or pornographic content every time the infected phone is unlocked, and some would even redirect victims to phishing sites in an attempt to steal their personal information by tricking them into believing they have won a contest. 29 Fake Android Apps – Ones to Look Out For Another group of camera apps that specifically meant to beautify photos were actually found including malicious code that uploads user's photos to an external remote server controlled by the app maker. However, instead of displaying a final result with the edited photo, the app serves users with a fake update prompt in nine different languages which lead, again, to a phishing site. “The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media,” Trend Micro researchers wrote in a blog post. In an attempt to hide their activities, some of these apps used various methods, including hiding the app icon from the drawer/launcher, which would make it more difficult for regular users to spot and uninstall the offending apps. After being made aware of the malicious apps, Google removed them from its Play Store, but this is unlikely to prevent malicious apps from plaguing the Android app store in the future. Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day, and spotting them on Google Play Store doesn't come up as a surprise. The best way to prevent yourself from falling victim to such fishy applications in the future is always to download apps from trusted brands only, even when downloading from the official app store. Moreover, look at the app reviews left by other users before downloading any app and avoid those that mention any suspicious behavior or unwanted pop-ups after installing. Last but not least, always keep a good antivirus app on your Android device that can detect and block such malicious activities before they can infect your device, and keep them up-to-date.

Source

Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers.

Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been

Source

image
LAS VEGAS — A backdoor trojan dubbed “SpeakUp” has been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. It uses a complex bag of tricks to infect hosts and to propagate, which analysts say could indicate that it’s poised for a major offensive involving a vast number of infected hosts, potentially worldwide. According to Check Point research released Monday at the CPX360 event in Las Vegas, SpeakUp (so-named after its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide so far in what could be the foundation for a very formidable botnet. SpeakUp targets on-premises servers as well as cloud-based machines, such as those hosted by Amazon Web Services; and, it doesn’t stop at Linux: It also has the ability to infect MacOS devices. Oded Vanunu, head of products vulnerability research for Check Point, told Threatpost that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. And, he said that since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected. The actual trojan itself can affect all Linux distributions and MacOS. Infection Routine The initial infection vector starts with targeting a recently reported RCE vulnerability in ThinkPHP (CVE-2018-20062); the code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor. The routine is heavily obfuscated: Using a GET request, exploit code is sent to the targeted server. The resulting uploaded PHP shell then sends another HTTP request to the targeted server, with a standard injection function that pulls the ibus payload and stores it. The payload execution is then kicked off using an additional HTTP request. That executes the Perl script, puts it to sleep for two seconds and deletes the file to remove any evidence of infection. After registering the victim machine with the C2, Check Point analysts found that SpeakUp continuously asks for new tasks on a fixed-interval basis of every three seconds. The C2 can say “no task” – or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data. “The beauty is that the threat actor has a foothold on any infected server,” Vanunu said. “Which means he can adapt new future vulnerabilities, and deploy the new code, which will attempt exploit further using new techniques. If the threat actor decides to implement some more infection techniques the number of bots could easily scale up.” The campaign would be immediately scaled as well, since a threat actor would be able to download a piece of malware to all infected hosts at once. “The infected hosts are checking the C2 server for new commands every three minutes,” said Vanunu. “The threat actor [may also be able to] sell the infected hosts to any threat actor and deploy any type of malware to the highest bidder,” he added. Highly Sophisticated Propagation SpeakUp also comes equipped with a handy propagation script written in Python; its main functions are brute-forcing administrative panels using a pre-defined list of usernames and passwords; and scanning the network environment of the infected machine. For the latter function, it checks for availability of specific ports on servers that share the same internal and external subnet mask. The idea is to scan and infect more vulnerable Linux servers within its internal and external subnets, using a full bag of exploits. To spread, SpeakUp’s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088). SpeakUp’s daily infection rate (click to enlarge) “A successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server,” according to Check Point’s analysis, which added that it also has the capability to infect Macs. A Bigger Threat in the Making? Right now, the observed file downloads that the backdoor is dropping are simple Monero-mining scripts. However, SpeakUp’s authors have the ability to download any code they want to the servers. Check Point analysts said that the mining code could be a sort of beta test ahead of a much more concerning malware drop to come. “At the moment SpeakUp serves XMRig miners to its listening infected servers,” according to the research. According to XMRHunter, the wallets hold a total of around 107 Monero coins right now, which is small potatoes in the grand scheme of things. “SpeakUp’s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making,” according to the analysis. “It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.” SpeakUp has no detections in VirusTotal. The initial victims have in Eastern Asia and Latin America, but researchers believe that the U.S. could be the next target, if not the rest of the world. Given the impressive propagation tactics, a non-existent detection rate on VirusTotal, and the fact that the threat surface contains servers that run the top sites on the internet, SpeakUp could end up being a very big deal, researchers said: “This campaign, while still relatively new, can evolve into something bigger and potentially more harmful…[and] at the time of writing this article, it has no detections in VirusTotal.” Attribution While the exact identity of the threat actor behind this new attack is still unconfirmed, it’s clear that it’s someone or a group with plenty of malware-authoring chops. “While currently we’ve spotted a cryptocurrency mining payload, the most notable aspect is the spreading abilities demonstrated in the code,” Vanunu told Threatpost. “Not only this was highly obfuscated, the variety of exploits used could potentially mean we have a highly skilled threat actor behind it.” Check Point researchers were able to correlate SpeakUp’s author with a possibly Russian-speaking malware developer under the name of Zettabit. “Although SpeakUp is implemented differently [than Zettabit’s other code], it has a lot in common with Zettabit’s craftmanship,” according to the analysis. In terms of what links Zettabit to this malware, “we’ve read all of his Hack Forums posts and Github projects, so this avatar definitely knows his way around botnets,” Vanunu told Threatpost. “He even released a free example of botnet code for anyone to use. And while researching, we’ve identified two unique strings that were mentioned and used by Zettabit himself a couple of time in the past.” _This story was updated at 2:23 p.m. ET on February 4 to reflect additional details from the researchers. _

Source

image
A 20-year-old college student who stole cryptocurrency worth more than $5 million by hijacking victims' phone numbers has pleaded guilty and accepted a sentence of 10 years in prison. Ortiz was arrested last year on charges of siphoning millions of dollars in cryptocurrency from around 40 victims using a method commonly known as “SIM swapping,” which typically involves fraudulently porting of the same number to a new SIM card belonging to the attacker. In SIM swapping, attackers social engineer a victim's mobile phone provider by making a phony call posing as their target and claiming that their SIM card has been lost and that they would like to request a SIM swap. The attackers attempt to convince the target's telecommunications company that they are the actual owner of the phone number they want to swap by providing required personal information on the target, like their SSNs and addresses, eventually tricking the telecoms to port the target's phone number over to a SIM card belonging to the attackers. Once successful, the attackers essentially gained access to their target's mobile phone number using which they can obtain one-time passwords, verification codes, and two-factor authentication in order to reset passwords for and gain access to target's social media, email, bank, and cryptocurrency accounts. SIM swapping has grown increasingly popular among cybercriminals over the past year and Joel Ortiz, a California man, is the first person to receive jail time for this crime, after pleading guilty to stealing more than $5 million in cryptocurrency from 40 victims, according to Motherboard. Rather than facing trials and severe consequences imposed by the jury, Ortiz chose to accept a plea deal for 10 years last week, according to Deputy District Director Eric West of Santa Clara County, California. However, the official sentencing of Ortiz is set to take place on March 14th. There are more pending cases in court wherein defendants stole millions of dollars worth of cryptocurrency using SIM swapping. One of the defendants named Dawson Bakies, accused of stealing the identities of and funds from more than 50 victims in the United States through SIM swapping has been indicted by Manhattan's District Attorney (DA). The 20-year-old Ohio man has been arrested and charged with identity theft, grand larceny, computer tampering and scheme to defraud, among other charges. Over the past year, federal authorities around the world have begun a crackdown on cryptocurrency related crime. A year ago, feds arrested a group of nuclear engineers in Russia after they were caught using supercomputers to mine Bitcoin.

Source

A 20-year-old college student who stole cryptocurrency worth more than $5 million by hijacking victims' phone numbers has pleaded guilty and accepted a sentence of 10 years in prison.

Ortiz was arrested last year on charges of siphoning millions of dollars in cryptocurrency from around 40 victims using a method commonly known as “SIM swapping,” which typically involves fraudulently porting of

Source

image
By Zehra Ali Open the Internet and your screen will be flooded with hacking news and exploits carried out through the use of sophisticated techniques. It is not uncommon to land on news reports of millions of compromised Internet devices. These stories emerge not merely because of the hacker’s expertise, although this plays a large part. Just as crucial is the lack […] This is a post from HackRead.com Read the original post: Top 10 Best Antivirus software for 2019

Source

image
By Waqas It hasn’t even been 15 days since details of the world’s biggest online private data dump were discovered by security researchers and now its second “installment” has posted online. As per the report from Heise.de, a German-language website, the first collection, which was published on January 17 and dubbed as Collections #1 had approx. 770 […] This is a post from HackRead.com Read the original post: World’s largest data dump surfaces on web with 2.2 billion accounts

Source