Information Technology

Blockchain data platform Chainalysis has released a new report on cryptocurrency crime trends, finding that $14 billion in cryptocurrency was sent to illicit addresses in 2021, nearly double the figure seen in 2020. 

Chainalysis data shows that about $2.2 billion was outright stolen from DeFi protocols in 2021. As of 2022, Chainalysis estimated that illicit addresses currently hold at least $10 billion worth of cryptocurrency, with most held by wallets implicated in cryptocurrency theft, darknet markets and scams.Digging deeper into the figures, Chainalysis researchers found that cybercriminals brought in 82% more in revenue from scamming last year, raking in $7.8 billion in cryptocurrency from victims. Within that $7.8 billion, Chainalysis discovered $2.8 billion that came from a scam they call “rug pulls.” In these scams, developers create seemingly legitimate cryptocurrency projects before stealing investor money and disappearing. The $2.8 billion doesn’t even take into account the user losses associated with the plummeting value of fake DeFi tokens and only counts the investor funding that was taken. Almost all of the $2.8 billion stolen in 2021 came from Thodex, a fraudulent centralized exchange that tanked when the CEO stopped users from withdrawing funds and disappeared. Chainalysis tracked several other DeFi projects that ended up being rug pulls. “We believe rug pulls are common in DeFi for two related reasons. One is the hype around the space. DeFi transaction volume grew 912% in 2021, and the incredible returns on decentralized tokens like Shiba Inu have many excited to speculate on DeFi tokens,” Chainalysis said. “At the same time, it’s very easy for those with the right technical skills to create new DeFi tokens and get them listed on exchanges, even without a code audit. Many investors could likely have avoided losing funds to rug pulls if they’d stuck to DeFi projects that have undergone a code audit – or if DEXes required code audits before listing tokens.”  Another big chunk of illicit cryptocurrency activity came from outright theft, which grew 516% in 2021 compared to the previous year. 

Chainalysis found that about $2.2 billion of the $3.2 billion worth of cryptocurrency stolen in 2021 came from DeFi protocols. The startling numbers far exceed the figures seen in 2020, when about $162 million in cryptocurrency was taken from DeFi platforms. That represents a 1,330% year over year increase for 2021. Chainalysis said many of the headline-grabbing attacks on DeFi exchanges over the last year “can be traced back to errors in the smart contract code governing those protocols, which hackers exploit to steal funds.” “We’ve also seen significant growth in the usage of DeFi protocols for laundering illicit funds, a practice we saw scattered examples of in 2020 and that became more prevalent in 2021. DeFi protocols saw the most growth by far in usage for money laundering at 1,964%,” Chainalysis explained. “In the longer term, the industry may also need to take more drastic steps to prevent tokens associated with potentially fraudulent or unsafe projects from being listed on major exchanges.”The attack on DeFi protocol Grim Finance at the end of December capped a whirlwind year for DeFi hacks. A week before the attack on Grim Finance, more than $77 million was stolen from AscendEX. Days before that, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users.Crypto trading platform BitMart suffered from a devastating attack that caused about $200 million in losses.In November, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform. Other attacks have involved platforms like Liquid, EasyFi, bZx, and many others. Chainalysis noted that cryptocurrency transactions involving illicit addresses represented just 0.15% of all cryptocurrency transaction volume in 2021, but the company added that the $14 billion figure is likely to increase as they find more addresses tied to criminal activity. The 2020 figures grew from 0.34% to 0.62% of all cryptocurrency transactions after Chainalysis continued to dig. “Cryptocurrency usage is growing faster than ever before. Across all cryptocurrencies tracked by Chainalysis, total transaction volume grew to $15.8 trillion in 2021, up 567% from 2020’s totals. Given that roaring adoption, it’s no surprise that more cybercriminals are using cryptocurrency. But the fact that the increase was just 79% — nearly an order of magnitude lower than overall adoption — might be the biggest surprise of all,” the report said, explaining that “illicit activity’s share of cryptocurrency transaction volume has never been lower.”The report adds that law enforcement has been able to increase its foothold in the cryptocurrency world in recent months. Chainalysis, which works with a number of law enforcement and government agencies, noted that the IRS Criminal Investigations announced that it seized over $3.5 billion worth of cryptocurrency in 2021 — all from non-tax investigations. More

Open source software is everywhere now, but the Log4j flaw that affects Java enterprise applications is a reminder of what can go wrong in the complicated modern software supply chain.

more Log4j

The challenge with the Log4j flaw (also known as Log4Shell) is not only that admins need to patch the flaw — which got a ‘critical’ rating of 10 out of 10 — but that IT folk can’t easily discover whether a product or system is affected by the vulnerability in the component. Google has calculated that approximately 17,000 Java packages in the Maven Central repository – the most significant Java package repository – were found to contain the vulnerable log4j-core library as a direct or transitive dependency. And now security firm JFrog has found more by identifying additional packages containing the Log4j vulnerability that would not be detected through dependency scanning — that is, packages containing vulnerable Log4j code within the artefact itself.It found that overall, direct inclusion of Log4j code in artefacts is not as common as the use of Log4j through dependencies. However, it still adds up to hundreds of packages – around 400 – which directly include Log4j code, opening these packages to Log4j vulnerabilities. “In more than half of all cases (~65%), Log4j code is included as classes directly (i.e. direct inclusion / shading), in contrast to including complete Log4j .jar files (i.e. fat jar), which is typically how it is presented in the remainder of cases. These numbers indicate that tools looking for complete .jar files only will miss most of the cases where Log4j is included directly,” it said.The bug is a reminder why Microsoft and Google are ploughing dollars into projects that bolster the security of open source software projects, which are the backbone today’s internet infrastructure. Previous research shows that the vast majority of software flaws are found in software libraries or dependencies.  

The severity of the bug means admins could be well-served by investigating all Java applications that may include Log4j code. Microsoft has released scanning tools to detect vulnerable WIndows and Linux systems, applications and devices, and JFrog offers one more option.  JFrog emphasizes its scanning reaches the add-on code rather than just the fact a version of the software library is present. “The reason that scanning the full dependencies list may miss instances of included Log4j code is because dependencies only specify external packages needed to build or run the current artefact. If the vulnerable code is inserted directly into the codebase, it is not a dependency. Therefore, for more precise detection of vulnerable Log4j code, we need to inspect the code itself,” the company notes in a blogpost. The research highlights how vulnerable today’s IT systems are to attacks on the software supply chain.The importance of the Java programming language can’t be underestimated. It remains one the world’s most widely-used languages and is the go-to language for enterprise, and includes in its ecosystem projects like Microsoft’s implementation of OpenJDK. Microsoft uses Java in Azure, SQL Server, Yammer, Minecraft, and LinkedIn. More

A highly organised and stealthy cyber-criminal operation is stealing millions of dollars from financial organisations in attacks that have been active for at least two years. The campaign has been detailed by researchers at Israeli cybersecurity company Sygnia, who have dubbed the organised financial theft operation behind the attacks as ‘Elephant Beetle’. 

ZDNet Recommends

These attacks are predominantly focused on financial organisations in Latin America, although researchers warned that the campaign could shift towards targets in other parts of the world. Researchers note that one of the breaches they uncovered when analysing Elephant Beetle campaigns was against the Latin American arm of an undisclosed US-based company. SEE: A winning strategy for cybersecurity (ZDNet special report) Elephant Beetle campaigns take place over a long period, with those behind the attacks taking time to examine the financial systems of compromised victims in order to create fraudulent transactions hidden among regular activity, which adds up to millions of dollars being stolen.  The entry point of the attacks is a focus on legacy Java applications running on Linux-based machines and web servers. The legacy nature of these systems means they’re likely to contain unpatched vulnerabilities that can be exploited. Among these vulnerabilities are Primefaces Application Expression Language Injection (CVE-2017-1000486), WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450), SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326), and SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963). 

In each case, the initial payload is a simple obfuscated web shell-enabling remote code execution, or a series of exploitations running different commands on the target machine. In total, the threat group uses an arsenal of over 80 unique tools and scripts to conduct the campaigns and identify additional security flaws while remaining undetected. To help stay under the radar, the attackers stick to smaller transactions that don’t look suspicious on an individual basis, but when all the transactions against victims are added together, millions of dollars are being stolen. If an attempt at a transaction is detected and blocked, the attackers will lay low while remaining on the network for a few months, only to resume activity again once they feel the coast is clear. “Elephant Beetle is a significant threat due to its highly organised nature and the stealthy pattern with which it intelligently learns victims’ internal financial systems and operations,” said Arie Zilberstein, VP of incident response at Sygnia “Even after initial detection, our experts have found that Elephant Beetle is able to lay low, but remain deeply embedded in a compromised organization’s infrastructures, enabling it to reactivate and continue stealing funds at any moment,” he added. Analysis of incidents involving Elephant Beetle – along with phrases and keywords used in code, including ‘Elephante’ – suggests that the cyber criminals behind the attacks are Spanish-speaking. Researchers also note that many of the command and control servers used by Elephant Beetle appear to be located in Mexico. In addition to this, Sygnia’s incident response team notes that the tools and techniques deployed by Elephant Beetle strongly resemble what cybersecurity company Mandiant tracks as FIN13, a cyber-criminal group focused on Mexico. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse It’s strongly believed Elephant Beetle is still actively compromising targets, but there are steps that organisations can take to avoid falling victim. Key to this is applying patches and security updates to prevent attackers from exploiting known vulnerabilities in order to gain a foothold in networks. If legacy applications can’t be patched, they should be isolated from the rest of the network when possible. “Particularly in the wake of widespread vulnerabilities like Log4j that are dominating the industry conversation, organizations need to be apprised of this latest threat group and ensure their systems are prepared to prevent an attack,” said Zilberstein. MORE ON CYBERSECURITY More

Brave, the Chromium-based and privacy-focused browser, now has 50 million monthly active users. That total means user numbers have more than doubled from the 24 million it had at the end of 2020. To put Brave’s milestone in perspective, Google has billions of active users on Chrome, Android, iOS and Windows. Nonetheless, Brave has grown from a user base of 1.2 million in 2017 after launching in 2016: version 1.0 of the browser was released in November 2019.Its main pitch to people is that doesn’t sell targeted ads but rather trades attention via cryptocurrency. Brave offers users the choice of viewing ads in exchange for its cryptocurrency, the Basic Attention Token (BAT).  See also: Hackers are turning to this simple technique to install their malware on PCs.Brave argues that people want private browsers with tools that let them unshackle from the ad-sponsored internet that funds Amazon, Apple, Google, Facebook and Microsoft.

Privacy has become a competitive differentiator amongst browser makers, most of whom use Google’s open-source Chromium project for their products, including Opera, Microsoft Edge and Vivaldi. Brave launched a new search engine while privacy-focused search engine DuckDuckGo recently launched its own browser. Brave claims it had 2.3 billion queries on its search engine between June to December 2021. Brave doesn’t share revenue details but claims its BAT revenues have grown by a factor of four in the past 12 months and that it now has 8 million uses who earn BAT via Brave Rewards. It also boasts its commercial success, naming household brand customers including Ford, PayPal, Toyota, Mastercard, Intel, Crocs, BMW, Keurig, American Express, Budweiser, Walmart, Amazon, and The Home Depot, as well as major crypto clients Binance, Coinbase, Crypto.com, eToro, Gemini, and Solana. “Passing 50 million users is a tremendous milestone for our company. It is also a powerful confirmation of the global movement underway led by users seeking alternatives to the surveillance economy,” said Brendan Eich, chef and co-founder of Brave. “We’ve spent a successful year expanding our product range and our ecosystem, engaging with partners who share our vision for a Web free from Big Tech’s shackles. We have seen an incredible response among our users, creators, and community. We aim to double this growth again in 2022 and engage with even more users who seek a privacy-conscious way to browse the Web that rewards them instead of punishes them with tracking, and helps them directly support creators.” More

ZDNet Recommends

The threat of cyberattacks is growing and much more needs to be done to educate businesses and users about risks in order to prevent widespread damage and disruption as a result of cyber incidents.  Events like ransomware attacks against utilities and infrastructure providers, production facilities and hospitals have demonstrated that cyberattacks can have very real consequences for people, restricting access to vital goods and services for days, weeks and even months.  But despite the risk posed by cyberattacks, many businesses and their boardrooms still don’t fully understand the threats they’re facing from cybercriminals and how to best defend their networks against them.  See also: A winning strategy for cybersecurity (ZDNet special report).Part of the problem is that, for many businesses, cybersecurity isn’t ingrained into everyday operations and employees are only asked to think about it when doing annual cybersecurity training — leaving companies at risk from cyberattacks the rest of the year. “I think one of the most important things to realise is most of the education and training done, it’s not very effective,” Stuart E. Madnick, professor of information technology and engineering systems at MIT Sloan Executive Education told ZDNet Security Update.  “The 30-minute video you’re obligated to watch once a year doesn’t do the job”. 

According to Madnick — who has been at M.I.T. since 1972 and has served as the head of MIT’s Information Technologies Group for more than 20 years — organisations need to build a culture of cybersecurity that actively involves everyone.  If people have a greater understanding of how their organisation falling victim to a cyberattack could affect them, it could lead to everyone being more careful when it comes to cybersecurity. “If somehow you think you play a role in defending your company, it’s important, but that’s not something we’ve been used to in the past, so you have to help people understand that,” said Madnick. Many people associate cyberattacks or being hacked with having their personal information or bank details stolen. But the reality is that cyberattacks are becoming much more damaging and costly. Incidents, from ransomware attacks to data breaches or business email compromise (BEC) scams can cost organisations millions. And as critical infrastructure and vital services become increasingly connected to the internet, there’s the additional risk of cyberattacks causing widespread disruption. “One thing we’re just beginning to see now are attacks on the cyber infrastructure of organisations, like hospitals and power grids,” said Madnick. “Imagine the electricity of London going out, not for an hour-and-a-half, not for a day, but for three weeks. That could be pretty serious,” he added, noting this isn’t just a fictional scenario, as Ukraine has previously seen power outages in the dead of winter because of cyberattacks, suspected to come from Russia. That’s far from the only time hostile hackers have entered networks of critical infrastructure, with attackers detected inside the networks of American utilities providers. There’s the risk that it’s only a matter of time before attackers take advantage of vulnerabilities in industrial networks to cause damage and disruption.  If we don’t take this seriously we’re going to suffer serious consequences, he argues. “That’s why it’s so important to educate broadly on the implications of cybercrime,” said Madnick. “The worst is yet to come,” he adds, noting how more and more of life now depends on technology.See also: Ransomware: Industrial services top the hit list — but cybercriminals are diversifying.For example, the rise of the Internet of Things (IoT) means basic appliances and sensors are connected to the internet — but, if they’re not properly secured, they’re just another avenue that attackers can use as a gateway to wider networks.  Madnick cited how something as simple as a toothbrush can be IoT-connected. While the app might give a user feedback on how well they’re brushing their teeth, a toothbrush that’s not secured properly could potentially carry cybersecurity risks. And more and more devices are being added to networks that won’t have been designed with IoT devices in mind. “Almost every product, except a brick, will have a computer in it, so the number of devices that can be cyber-attacked is increasing exponentially,” said Madnick. “The attack surfaces are multiplying all over the place and the consequences of these attacks are hard to imagine yet,” he added. MORE ON CYBERSECURITY More

Google rolled out an update for Chrome this week on Windows, Mac and Linux that included 37 security fixes, one of which was rated critical. Google Chrome’s Prudhvikumar Bommana thanked dozens of security researchers for helping them find bugs, many of which were given a high severity rating. Chrome 97.0.4692.71 includes fixes for CVE-2022-0096 — a critical use-after-free (UAF) vulnerability — as well as other UAFs like CVE-2022-0098, CVE-2022-0099, CVE-2022-0103, CVE-2022-0105 and CVE-2022-0106. There are also three heap buffer overflow issues rated high severity. Google did not say if exploits exist for any of the vulnerabilities but BreachQuest CTO Jake Williams said he was not aware that any of these vulnerabilities are being actively exploited in the wild. Most home users will receive updates automatically, Williams noted. But he explained that enterprise users who lack administrative permissions on their machines will rely on systems administrators to push an update. In October, Google fixed two previously unknown, high-severity zero-day flaws in a Chrome update for for Windows, Mac and Linux. Exploits for both were found in the wild, according to Google. Google patched at least 14 zero-days in 2021. 

Viakoo CEO Bud Broomhead said it is notable that stable channel releases are now focused on fixing cyber vulnerabilities more than delivering new functionality.  “Stable is now becoming ‘cyber safe to use’ as opposed to ‘won’t crash your machine,’ a meaningful difference with the onslaught of cyber vulnerabilities,” Broomhead said.  More

Internet service in Kazakhstan was disrupted this week as thousands took to the streets in protest over a rise in energy prices. The internet was partially restored on Wednesday but there is still evidence of significant disruption. Both Netblocks and Cloudflare reported significant internet shutdowns in the country on Tuesday evening after protests began in the western town of Zhanaozen. Alp Toker, director of NetBlocks, told ZDNet that they have been tracking the disruptions since their onset on Tuesday. NetBlocks found that initially, mobile services and some fixed lines were affected before there was a country-wide blackout around 5 pm on Wednesday affecting all connectivity in the country. “What’s striking here is the rapid deployment of internet restrictions at national scale, effectively resulting in an information vacuum both inside and outside the country. This has made it difficult to get a clear picture of what is happening on the ground in Kazakhstan as political instability spirals,” Toker said.
NetBlocks
“In [the] past we’ve document[ed] internet disruptions in Kazakhstan during elections and protests, but the severity here is markedly on a different scale,” Toker added. NetBlocks released multiple graphs showing that internet service through mobile providers like Kcell, Beeline, and Tele2 was still significantly disrupted on Wednesday as the government responded forcefully to the protests. Cloudflare found that the largest telecommunication company in the country, Kaz Telecom, was also affected. Many noted that an internet blackout of this scale would mean banks, businesses, and many other daily functions would struggle to continue. Cloudflare explained that Kazakhstan is a country where mobile “represents something like 75% of Internet traffic.” 

NetBlocks said this kind of internet disruption “affects connectivity at the network layer and cannot always be worked around with the use of circumvention software or VPNs.” The blackouts caused everyone outside of Kazakhstan to lose access to any websites and services hosted in Kazakhstan, including government and news websites.The internet watchdog added that Kazakhstan’s leaders have a history of using internet restrictions to control protests. NetBlocks tracked Kazakhstan internet blackouts during elections and during certain holidays.The Associated Press reported on Wednesday that protesters set both the presidential residence and the Almaty mayor’s office on fire as unrest evolved from protests about the price of liquefied petroleum gas to nationwide demonstrations against the ruling party, which has been in power since the country gained independence in 1991. The government resigned on Wednesday but President Kassym-Jomart Tokayev said all officials would remain in their roles until replacements are found. Cloudflare noted that it is becoming increasingly common for dictators facing protests to shut down the entire country’s internet as a way to quell outrage and limit the ability of protesters in different towns to communicate. This was done most recently by the leaders of Sudan and Myanmar as they faced mass protests.  More

Seventeen companies have been informed of cyberattacks that compromised user information by New York Attorney General Letitia James following an investigation into credential stuffing. More than 1 million customer accounts were compromised due to the attacks, which James said were previously undetected. 

James said her office was releasing a guide for businesses on how they can deal with credential stuffing attacks, noting that the practice has “quickly become one of the top attack vectors online.” The 17 businesses affected include well-known online retailers, restaurant chains, and food delivery services.The FBI said last year that credential stuffing attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — have been used to compromise 50,000 online bank accounts since 2017. Akamai released a report last year that found over 193 billion credential stuffing attacks occurred globally in 2020. “Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts, and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”The Office of the Attorney General (OAG) monitored online communities dedicated to credential stuffing and found thousands of posts containing customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or websites on apps.After contacting the companies, all 17 investigated the OAG’s findings and took steps to protect users. OAG said, “nearly” all of the companies “implemented, or made plans to implement additional safeguards.”These safeguards include bot detection services, multi-factor authentication and password-less authentication. They also urged companies to monitor customer traffic for signs of credential stuffing attacks like spikes in traffic volume of failed login attempts.

James also said businesses need to institute re-authentication for customer payment information as a way to prevent attackers from gaining access to sensitive information. “It is critically important that re-authentication be required for every method of payment that a business accepts. The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication,” the OAG said. “Businesses should have a written incident response plan that includes processes for responding to credential stuffing attacks. The processes should include investigation and notice.”Two weeks ago, the UK National Crime Agency and National Cyber Crime Unit discovered a 225 million cache of stolen emails and passwords, eventually handing it over to HaveIBeenPwned, which tracks credentials stolen and/or leaked through past data breaches.  More