Select Page
U.S. Sanctions Virtual Currency Mixer Tornado Cash for Alleged Use in Laundering

U.S. Sanctions Virtual Currency Mixer Tornado Cash for Alleged Use in Laundering

The U.S. Treasury Department on Monday placed sanctions against crypto mixing service Tornado Cash, citing its use by the North Korea-backed Lazarus Group in the high-profile hacks of Ethereum bridges to launder and cash out the ill-gotten money.

Tornado Cash, which allows users to move cryptocurrency assets between accounts by obfuscating their origin and destination, is estimated to have been used to launder more than $7.6 billion worth of virtual assets since its creation in 2019, the department said.

Thefts, hacks, and fraud account for $1.54 billion of the total assets sent through the mixer, according to blockchain analytics firm Elliptic.

Crypto mixing is akin to shuffling digital currencies through a black box, blending a certain quantity of cryptocurrency in private pools before transferring it to its designated receivers for a fee. The aim is to make transactions anonymous and difficult to trace.

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” Brian E. Nelson, under secretary of the Treasury for terrorism and financial intelligence, said.

images from Hacker News

The Truth About False Positives in Security

The Truth About False Positives in Security

TL;DR: As weird as it might sound, seeing a few false positives reported by a security scanner is probably a good sign and certainly better than seeing none. Let’s explain why.

Introduction

False positives have made a somewhat unexpected appearance in our lives in recent years. I am, of course, referring to the COVID-19 pandemic, which required massive testing campaigns in order to control the spread of the virus. For the record, a false positive is a result that appears positive (for COVID-19 in our case), where it is actually negative (the person is not infected). More commonly, we speak of false alarms.

In computer security, we are also often confronted with false positives. Ask the security team behind any SIEM what their biggest operational challenge is, and chances are that false positives will be mentioned. A recent report estimates that as much as 20% of all the alerts received by security professionals are false positives, making it a big source of fatigue.

Yet the story behind false positives is not as simple as it might appear at first. In this article, we will advocate that when evaluating an analysis tool, seeing a moderate rate of false positives is a rather good sign of efficiency.

What are we talking about exactly?

With static analysis in application security, our primary concern is to catch all the true vulnerabilities by analysing source code.

images from Hacker News

10 Credential Stealing Python Libraries Found on PyPI Repository

10 Credential Stealing Python Libraries Found on PyPI Repository

In what’s yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and API tokens.

The packages “install info-stealers that enable attackers to steal developer’s private data and personal credentials,” Israeli cybersecurity firm Check Point said in a Monday report.

A short summary of the offending packages is below –

  • Ascii2text, which downloads a nefarious script that gathers passwords stored in web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser
  • Pyg-utils, Pymocks, and PyProto2, which are designed to steal users’ AWS credentials
  • Test-async and Zlibsrc, which download and execute malicious code during installation
  • Free-net-vpn, Free-net-vpn2, and WINRPCexploit, which steal user credentials and environment variables, and
  • Browserdiv, which are capable of collecting credentials and other information saved in the web browser’s Local Storage folder

The disclosure is the latest in a rapidly ballooning list of recent cases where threat actors have published rogue software on widely used software repositories such as PyPI and Node Package Manager (NPM) with the goal of disrupting the software supply chain.

images from Hacker News

Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions

Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions

Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors.

Russian cybersecurity firm Kaspersky attributed the attacks “with a high degree of confidence” to a China-linked threat actor tracked by Proofpoint as TA428, citing overlaps in tactics, techniques, and procedures (TTPs).

TA428, also known by the names Bronze Dudley, Temp.Hex, and Vicious Panda, has a history of striking entities in Ukraine, Russia, Belarus, and Mongolia. It’s believed to share connections with another hacking group called Mustang Panda (aka Bronze President).

Targets of the latest cyber espionage campaign included industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries and Afghanistan.

Attack chains entail penetrating the enterprise IT networks using carefully crafted phishing emails, including some that referenced non-public information pertaining to the organizations, to trick recipients into opening rogue Microsoft Word documents.

images from Hacker News

New Orchard Botnet Uses Bitcoin Founder’s Account Info to Generate Malicious Domains

New Orchard Botnet Uses Bitcoin Founder’s Account Info to Generate Malicious Domains

A new botnet named Orchard has been observed using Bitcoin creator Satoshi Nakamoto’s account transaction information to generate domain names to conceal its command-and-control (C2) infrastructure.

“Because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than using the common time-generated [domain generation algorithms], and thus more difficult to defend against,” researchers from Qihoo 360’s Netlab security team said in a Friday write-up.

Orchard is said to have undergone three revisions since February 2021, with the botnet primarily used to deploy additional payloads onto a victim’s machine and execute commands received from the C2 server.

It’s also designed to upload device and user information as well as infect USB storage devices to propagate the malware. Netlab’s analysis shows that over 3,000 hosts have been enslaved by the malware to date, most of them located in China.

Orchard has also been subjected to significant updates in over a year, one of which entails a brief tryst with Golang for its implementation, before switching back to C++ in its third iteration.

images from Hacker News