Security Weekly 10

Security Weekly 10

Security Weekly 10: Unknown is hacked a CoinDash, A Millions of Installations of Software and IoT-devices Contain a Critical Vulnerability, Numerous Modifications of Nukebot

  • Hacking a single-page site on WordPress and stealing $ 7.7 million is now not the scenario of an illiterate movie about hackers, but the reality that has taken place.
  • Technologies! Still noticed the craze for ICO? This is like an IPO when the company first releases its shares and sells them through a stock exchange. Only not shares, but tokens, not through the exchange, but directly, and, more often, for the cryptocurrency.
  • This is all for what? Crypto-investors then expensive that cheaper Bitcoin and others burn the pocket, and invest them in a high-tech startup is very easy. I took it and translated it to the right address, no trouble with the stock exchange and brokers. Fast, easy, safe.

Unknown hackers also appreciated the convenience of ICO and decided to participate. Found talented guys CoinDash, which ICOshilis using a site on WordPress, hacked it, replaced the ethereal-address for investment – and sit, consider lying millions. The first victims were 2000 investors who lost 37 thousand per airtime (at that time at $ 209 per each airtime).”
  • Even after CoinDash announced this dirty hack, investors continued to air to the left address and sent more than $ 10 million. The company decided to give out its tokens to the victims of hackers, so investors should not suffer, only the company itself.

Tens of millions of installations of software and IoT-devices contain a critical vulnerability.



The news from the world of the Internet is very monotonous, but the trend is quite apocalyptic – the further into the forest, the more holes. And all because when the security researcher has nothing to do, he takes the first IoT-device, he finds a vulnerability there in half an hour, estimates the number of copies sold, and here’s the script of the next router-phone in all profile editions!

  • Somehow this sort of thing, Sanrio did, undertaking to study a cool security camera from Axis Communications. Quickly learned how to call the buffer overflow through the 80th port and intercept the video stream without any authentication, restart the camera, and pause recording. The vulnerability was christened Devil’s Ivy.
  • After that, they found out that the same software is on the other 248 models of the Axis Communications line, and this bug, of course, is there. They scanned the Internet using Shodan – found 14700 vulnerable online cameras (it is clear that most of these cameras are behind firewalls).
  • Then another link of this chain was opened: the thing is that the gyro component, gSOAP¬†library, is used very much where, including in the products of Microsoft, IBM, Xerox, and Adobe. This does not mean that all products that use gSOAP are vulnerable, but, of course, the problem is very large. Hence the “tens of millions” announced in the news. From such very approximate figures it does not get scared, but if a self-propelled Trojan worm that uses this hole suddenly appears, it does not seem like a lot.

Numerous modifications of Nukebot


At the end of March this year, the author of the Trojan-banker Nukebot laid out his source code in a darknet. Unfortunately, such actions are not uncommon, the motives are usually not clear, and the consequences are extremely unpleasant. Hunting for easy money, guys who are unable to write this themselves, or buy a darknet subscription to Malvar, use such charity. And flood the Internet with slightly modified Trojans.

  • And now – a month and a half have passed, and our analysts have already found a bunch of samples. True, most of them are essentially inoperable – in the code, even the management server is not registered. Either it tests samples, or some of the Vonnabi hackers have not mastered the command infrastructure of the botnet (and encrypt the code). Nevertheless, about 5% of the samples are fully working and probably bring their owners money.

By the way, researchers from IBM conducted a small investigation and put forward a version of why the author published the source code Nukebot. It turns out that he tried to organize sales of the Trojan without his checking by the administration of the site in the darknet. After this business was stopped, he registered in another place under a different name, and was, after all, everywhere banned. Once he had no one to buy, he decided to just distribute the code. All this unprofessionalism does not really fit in with the good technical level of Nukebot, but it makes no sense to guess.