Bitcoin exchange NiceHash hacked, $68 million stolen

Bitcoin mining platform and exchange NiceHash has been hacked, leaving investors short of close to $68 million in BTC. As the price of Bitcoin continues to rocket, surging past the $14,500 mark at the time of writing, cyberattackers have once again begun hunting for a fresh target to cash in on in this lucrative industry.
Banks and financial institutions have long cautioned that the volatility of Bitcoin and other cryptocurrency makes it a risky investment, but for successful attackers, the industry potentially provides a quick method to get rich — much to the frustration of investors.
Unfortunately, it seems that one such criminal has gone down this path, compromising NiceHash servers and clearing the company out.
In a press release posted on Reddit, on Wednesday, NiceHash said that all operations will stop for the next 24 hours after their “payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen.”
NiceHash said it was working to “verify” the precise amount of BTC stolen, but according to a wallet which allegedly belongs to the attacker — traceable through the blockchain — 4,736.42 BTC was stolen, which at current pricing equates to $67,867,781.
“Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days,” NiceHash says. “In addition to undertaking our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are co-operating with them as a matter of urgency.”
“We are fully committed to restoring the NiceHash service with the highest security measures at the earliest opportunity,” the trading platform added.
The company has also asked users to change their online passwords as a precaution. NiceHash says the “full scope” of the incident is unknown.
“We are truly sorry for any inconvenience that this may have caused and are committing every resource towards solving this issue as soon as possible,” the company added.
Inconvenience is an understatement — especially as so much was left in a single wallet — but the moment those coins shift, we may know more about the fate of the stolen investor funds.
Speaking to ZDNet, Tyler Moffitt, Senior Threat Research Analyst at Webroot commented: “This hack is a lesson for the community to ensure that when mining for a pool, to always have payouts trigger at the smallest amount. Even though there are fees associated with using the minimum payout, having the amount sitting in the mining pools wallet is risky. It doesn’t take much for mining pool operators to keep these types of wallets secure. If you don’t, this is what can happen. It will be a huge uphill battle for NiceHash to overcome this breach as it’s very damaging to its brand.” See also: Quant Trojan upgrade targets Bitcoin, cryptocurrency wallets
In related news this week, Steam has stopped accepting Bitcoin as payments on the game distribution platform. The company said the volatility of the coin, together with a rise in transaction fees which can now reach up to $20 per transaction, has made the payment option “untenable” for now.
ZDNet has contacted NiceHash and will update if we hear back.
More security news
A popular virtual keyboard app leaks 31 million users’ personal data
Industrial firms fail to adopt basic security measures against hackers
US says it doesn’t need secret court’s approval to ask for encryption backdoors
A giant botnet behind one million malware attacks a month just got shut down
Best gifts: Top tech for co-workers
1 – 5 of 21
Previous and related coverageQuant Trojan upgrade targets Bitcoin, cryptocurrency wallets JPMorgan calls Bitcoin ‘fraud’ only for use by criminals and North Koreans Vietnam bans payments in Bitcoin and other cryptocurrencies
Related Topics:

Security TV
Data Management


上海 探索大型超市食品安全"共治"新路径
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述

Researchers: Andromeda Bust Collared Cybercrime Mastermind

Workstation of a suspect arrested in connection with Andromeda botnet operations. (Source: Belarus Police)
Police say they have disrupted the long-running Andromeda botnet, aka Gamarue, which has been tied to a massive number of malware attacks, including ransomware campaigns.
See Also: IoT is Happening Now: Are You Prepared?
On Wednesday, an international police operation resulted in the seizure of servers and domains used to spread and control Andromeda malware as well as the arrest of an unnamed individual in Belarus who’s been accused of being tied to the botnet. Some security researchers believe the individual is the veteran cybercriminal called “Ar3s,” aka “the Belarusian.”
The EU’s law enforcement intelligence agency, Europol, on Monday said that 1,500 command-and-control and malware-distribution domains tied to Andromeda had been sinkholed, meaning they were rerouted to police-controlled servers. Microsoft, which assisted in the takedown, along with security firm ESET, said that in the first 48 hours of the sinkholing, approximately 2 million unique IP addresses – each an Andromeda-infected PC – from 223 countries were detected.
We analyzed more than 44K malware samples to uncover Gamarue/Andromeda’s sprawling infrastructure. We provided detailed info on 1,214 C&C servers, 464 distinct botnets, & >80 related malware families to law enforcement agencies that mobilized the takedown.— Windows Defender Security Intelligence (@WDSecurity) December 5, 2017
The Andromeda investigation was led by the FBI, working with Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Center, the EU’s Joint Cybercrime Action Task Force and Eurojust, the EU agency devoted to judicial cooperation in criminal matters.
“This is another example of international law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale,” says Steven Wilson, head of Europol’s European Cybercrime Center, or EC3. “The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.”
Andromeda’s global prevalence from May to November. (Source: Microsoft)
Suspect Arrested in Belarus
As part of the Andromeda disruption, police in the Eastern European country of Belarus announced that they arrested a Belarus citizen accused of being part of “an international cybercrime group” that created and distributed malicious software. The date of the suspect’s arrest has not been announced.
Police said they worked with the FBI on the investigation and that undercover FBI agents purchased software from the defendant that established his connection to the Andromeda botnet. They said that connection was bolstered by a digital forensic investigation of storage devices seized from the suspect at the time of his arrest.
USB storage devices seized by police in Belarus when they arrested an individual in connection with the Andromeda botnet. (Source: Police in Belarus)
Police in Belarus allege that the suspect received $500 per copy of the Andromeda crimeware toolkit that was sold, as well as $10 for every follow-up malware update provided to buyers.
Based on the information that has been released by authorities, two researchers at cybercrime intelligence provider Recorded Future believe the suspect is “Ar3s,” a veteran cybercriminal. “Ar3s is the mastermind behind the Andromeda Trojan and a longstanding administrator of the Damage Lab hacking forum,” Recorded Future’s Andrei Barysevich and Alexandr Solad write in a report released Tuesday.
“Ar3s … is one of the most respected and longest-standing members of the hacking community and has operated in the Russian-speaking underground since at least 2004,” the researchers say. Other handles used by the suspect have been “Apec” – in Russian – as well as “Ch1t3r.” And on cybercrime forums, Ar3s is regularly referred to as “the Belarusian,” they say.
“The actor is best known as a developer of the powerful Andromeda bot created in 2011, as well as the Win32/Gamarue HTTP bot,” they add. “The actor is also known as the author of the Windows SMTP Bruter v.1.2.3, an SMTP bruteforcing tool, as well as ‘Swf-Inj Service’ which hijacks web traffic by embedding iFrame malware into SWF – small web format – files.”

Malware Distribution Operation
Andromeda was principally designed to distribute other types of malware, and the Andromeda bot was often advertised on cybercrime forums as the Gamarue crimeware toolkit, security researchers at the Microsoft Digital Crimes Unit and Windows Defender Research team say in a blog post.
Microsoft estimates that cybercriminals used Andromeda to distribute 80 malware families and that in the last six months, such malware was detected or blocked on more than 1 million PCs per month.
Top 10 countries with systems that encountered Andromeda/Gamarue from May to November. (Source: Microsoft)
The malware families distributed by Andromeda included Carberp and Ursnif banking Trojans; Fareit and Kasident distributed denial-of-service attack malware; the Fynloski backdoor; as well as Cerber, Petya and Troldesh ransomware, Microsoft says.
Since 2015, ESET – together with Microsoft – has been providing intelligence on Andromeda, which ESET refers to as Wauchos, to authorities. “Wauchos is mostly used to steal credentials, and to download and install additional malware onto a system,” ESET researcher Jean-Ian Boutin says in a blog post. “Thus, if a system is compromised with Wauchos, it’s likely that there will be several other malware families lurking on the same system.”
Modular Capabilities
Gamarue is highly modular, and users can buy add-ons with additional desired capabilities, Microsoft says, including the following functionality:
Rootkit (included): Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence;
Socks4/5 (included): Turns a victim’s PC into a proxy server for serving malware or malicious instructions to other internet-connected PCs;
Keylogger ($150): Logs keystrokes and mouse activity to steal usernames and passwords, financial information and more;
Formgrabber ($250): Captures any data submitted by a user via Chrome, Firefox or Internet Explorer web browsers;
Teamviewer ($250): Remotely controls the victim machine, spy on the desktop and transfer files, among other capabilities;
Spreader (price unlisted): Spreads Andromeda malware via removable drives while imbuing the malware with the ability to download updates via domains specified using domain name generation algorithms.
Andromeda was also designed to disable built-in Windows security features. “Gamarue attempts to tamper with the operating systems of infected computers by disabling firewall, Windows Update and user account control functions,” Microsoft says. “These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10.”
Microsoft Windows firewall and update functionality after being disabled by Avalanche, aka Gamarue.
Lessons Learned From Avalanche
Police say their disruption of Andromeda succeeded thanks, in part, to lessons learned from taking down the Avalanche botnet 12 months ago, which was tied to Andromeda. At the time, police arrested five individuals, physically seized more than three dozen servers tied to Avalanche and took technical steps to prevent repeat attacks.
Europol estimated that infrastructure used to run Avalanche, which was in operation since 2009, every week lobbed more than 1 million emails carrying malicious links or attachments at potential victims.
Late last year, authorities sinkholed all Avalanche infections, which they planned to do for one year. But on Monday, Europol announced that the sinkholing has been extended for another year because “globally 55 percent of the computer systems originally infected [by] Avalanche are still infected today.”


网络安全法普法宣传 004《网络安全法》的突出亮点