Invaders Drop News: Hedgey Finance Hit by $44.7 Million Crypto-Heist

Author

Lucas Oliveira
April 22, 2024

More News:

  • Major Hacks & Leaks: Hedge Finance ($44M crypto theft), PSG (ticketing system breach), El Salvador (citizen data leak), boAt (customer data leak), University of Winnipeg (employee & student data stolen).

  • Cyberwarfare: Ukrainian hackers destroyed a Russian data center used by major companies.

  • Privacy Concerns: OpenTable will expose user names and photos on reviews, Microsoft update may restrict changing default browser.

  • Policy & Governance: Pegasus spyware used against Polish politician, US bill targets ransomware payments, World Cybercrime Index ranks countries by cybercrime activity.

  • Cybercrime & Malware: Firebird/Hive RAT developer arrested, ex-Amazon engineer jailed for crypto theft, new card skimmer discovered, Pikabot malware analysis, XZ backdoor reports.

  • Vulnerabilities: Ahoi attack on cloud TEEs, Hugging Face AI platform flaws, Ivanti VPN vulnerability, V8 Sandbox added to Google's bug bounty program.

Get the latest cyber news with the Invaders Drop news podcast, brought to you by Invaders Cybersecurity! Listen to our easy-to-understand audio updates. Just search for "Invaders Drop news" on your podcast app. – subscribe now and stay in the loop!

Hedge Finance, a DeFi platform, has experienced a significant crypto-heist, resulting in the theft of $44.7 million worth of crypto-assets. The attack was executed by a threat actor who took advantage of a vulnerability in Hedgey Finance's Token Claim smart contract, enabling them to carry out a flash loan attack. In an attempt to recover the stolen funds, Hedgey Finance reached out to the hacker for negotiations, but the hacker showed no interest in returning the funds. You can find additional coverage of this incident on CoinTelegraph.

Exploited Smart and Impersonation Scams Rock DeFi Platform

Following the confirmation of the exploit, fake accounts impersonating the Hedge protocol emerged and began posting potentially harmful links in the comment section. These accounts urged users to seek refunds or revoke their smart contract approvals, directing them to suspicious links unrelated to the Hedgey protocol.

Notably, the exploit took place just hours before the highly anticipated Bitcoin halving, which is an event that reduces block issuance rewards by half.

OwenCloud Operation: Ukrainian hackers, linked to Ukraine's Security Service (SBU) cyber department, destroyed a data center used by Russian industrial giants like Gazprom, Lukoil, and Telecom. Over 10,000 Russian entities, including defense, oil, gas, and telecommunications companies, stored data in the OwenCloud.ru service. The joint operation of the Ukrainian hacker group BLACKJACK and the SBU Cyber Department resulted in the destruction of over 300TB of data, including 400 virtual and 42 physical servers.

PSG Incident: PSG, a French soccer/football club, reported being targeted by a cyberattack, likely a credential-stuffing attack. The breach compromised identity data including name, email, address, mobile number, date of birth, and account status, as well as IBAN numbers, with only the last three digits being legible.

El Salvador Leaks: A threat actor leaked databases containing personal information and photos of over 5 million El Salvador citizens, affecting roughly 80% of the population. The hacker released the data for free after failing to sell it since August last year. Additionally, 10 million emails from the National Civil Police and 250 thousand emails from the Armed Forces of El Salvador were compromised. Two days later, the group "ransomhub" threatened to leak 497 gigabytes of data stolen from Sociedad de Ahorro y Crédito Constellación, in El Salvador.

boAt Leak: A threat actor breached and leaked personal information of over 7.5 million customers of Indian electronics vendor boAt. The company is investigating, but many customers confirmed the data's authenticity. Leaked details include real names, addresses, emails, and phone numbers. A hacker leaked this data on the dark web, raising concerns of financial scams and phishing threats. Experts emphasize the risks of identity theft and urge enhanced security measures.

OpenTable to dox all its users: OpenTable, the website for booking tables at restaurants, is changing its rules. Starting May 22nd, your name and photo will be shown on any reviews you wrote in the past. You can't stop this from happening. OpenTable says you can change or delete your old reviews. But some people think they're just doing this to avoid problems with restaurants who don't like bad reviews.

Microsoft update: Windows 10 and 11 introduced a curious new driver called "UserChoice", which appears to prevent users from changing their default web browser. The driver seemingly achieves this by blocking modifications to the registry key associated with default browser settings. Whether this is an intentional feature or an unintended bug remains unclear.

Notepad++ needs help: The developers of Notepad++ are seeking assistance from users to combat a new website that is impersonating their brand. This fraudulent website is ranking high in search results, posing a threat to the reputation and integrity of Notepad++. They urge users to help identify and report the impersonating site to prevent potential harm to users.

Policy & Governance Perspectives

Pegasus Spyware: Poland's National Prosecutor's Office has confirmed that the previous ruling government used the notorious Pegasus spyware to target Krzysztof Brejza, a Polish Member of the European Parliament and key opposition figure. Brejza, who coordinated the opposition's strategy for the 2022 parliamentary elections, was reportedly subjected to repeated hacking attempts. CitizenLab researchers further allege that Brejza faced a barrage of "disinformation" after discovering the spying activities last year.

Ransomware Payments Notify: US lawmakers are taking aim at ransomware with a new bill that would require financial institutions to report any ransomware payments to the Treasury Department. Additionally, the proposed legislation, known as the Ransomware and Financial Stability Act, would prohibit financial institutions from fulfilling ransomware demands exceeding $100,000 without prior approval from law enforcement agencies. This bill, introduced by the US House Financial Services Committee, seeks to address the growing threat of ransomware attacks and their impact on financial stability.

Cybercrime and threat intel

World Cybercrime Index: Researchers at Oxford University have created the first-ever World Cybercrime Index, ranking countries based on their level of cybercrime activity. Unsurprisingly, Russia takes the top spot. However, the index throws up some surprises, with Romania landing at number 6, even ahead of North Korea, a notorious player in the cybercrime world known for its massive crypto heists and attacks on the SWIFT banking system**.**

Firebird/Hive RAT dev arrested: A 24-year-old Californian man, Edmond Chakhmakhchyan, has been arrested and charged with creating and distributing malware. The accused allegedly developed the "Firebird" remote access trojan (RAT) in 2020, later rebranding it as "Hive RAT" and selling it on hacking forums under the alias "Corruption." An alleged accomplice was also apprehended by Australian authorities. Chakhmakhchyan has pleaded not guilty and awaits trial in June**.**

Ex-Amazon gets 3 years in prison: A former Amazon security engineer, Shakeeb Ahmed, has been sentenced to three years in prison for orchestrating cryptocurrency thefts. Ahmed exploited vulnerabilities in blockchain contracts to steal $9 million from Cream Finance and an additional $3.6 million from Nirvana Finance. He attempted to mask his actions as vulnerability research, offering to return the stolen funds in exchange for substantial "bug bounties." Nirvana Finance ultimately ceased operations after failing to reach an agreement with Ahmed regarding the return of its assets.

Malware technical reports

Pikabot: Zscaler researchers are delving into the latest advancements in Pikabot's string obfuscation techniques. The analysis aims to shed light on how this malware family is adapting its methods to evade detection and analysis.

XZ Incident: Two weeks after the XZ backdoor incident came to light, cybersecurity firms are releasing comprehensive reports detailing their findings. SentinelOne was among the first to provide insights, and now Binarly and Kaspersky have followed suit with their own in-depth analyses. These reports offer valuable information about the backdoor's functionality, potential impact, and methods of mitigation.

New card skimmer: Researchers at Sucuri have discovered a new card skimmer that uses a novel cover. Imitating the Facebook Pixel analytics tool. This is different from copying jQuery libraries or Google scripts as is usually done. The finding sheds light on how cybercriminals are adapting their TTPs to pilfer private financial data.

Vulnerability Disclosure Digest

Zero-day Market Store: Vulnerability acquisition platform Crowdfense is now offering exorbitant payouts for zero-click exploits targeting popular products and platforms. They are willing to pay up to $9 million for SMS/MMS zero-click full chains on iOS, and between $5-$7 million for other iOS zero-click exploits. For Android zero-click full chains, they offer up to $5 million. Crowdfense also has prices up to $3-$5 million for zero-click exploits in secure messaging apps like WhatsApp and Signal. The company had gone dormant but recently restructured operations and re-launched in late March with these new, significantly higher prices reflecting the increasing difficulty of finding exploits as vendors improve product security

Plot Generated by Invaders.ie

Ahoi attack: discovered by academics, breaks the confidentiality of trusted execution environments (TEEs) used by cloud providers. It affects AMD SEV-SNP and Intel TDX, TEEs designed to host confidential virtual machines (CVMs). The attack exploits the notification system between the hypervisor and guest OS. A successful attack allows threat actors to access data stored in other cloud users' memories on the same hardware. This compromises the isolation and privacy guarantees offered by TEEs, potentially exposing sensitive data of cloud customers to malicious co-located virtual machines.

Hugging Face fixes: Wiz discovered two critical vulnerabilities in Hugging Face's AI platform that could allow threat actors to upload malicious models and gain cross-tenant access to customers' data. The issues involved their Inference API and CI/CD pipeline for hosting AI apps. Hugging Face worked with Wiz to implement fixes, including improved isolation, access controls, and deploying Wiz's cloud security solution. The findings highlight the need for robust security measures when operating multi-tenant AI services handling untrusted code and data.

Ivanti ConnectSecure exposed: VPN servers are currently facing a serious security vulnerability tracked as CVE-2024-21894. According to the Shadowserver Foundation, more than 16,500 ConnectSecure VPN appliances are exposed online and vulnerable to this remote code execution flaw. The vast majority of the vulnerable systems are located in the United States. Ivanti has released patches to address CVE-2024-21894 as well as several other vulnerabilities (CVE-2024-22052, CVE-2024-22053, and CVE-2024-22023) affecting their ConnectSecure and PolicySecure gateways. Organizations using these VPN products should urgently apply the latest security updates from Ivanti to mitigate the risk of potential exploitation.

V8 Sandbox in the Google: V8 Sandbox has been included in Google's Vulnerability Reward Program (VRP). Researchers can earn up to $5,000 for bypassing the sandbox, which isolates JavaScript code in Chrome. Google developed the V8 Sandbox after finding many vulnerabilities targeted the V8 JavaScript engine, aiming to prevent exploits from impacting other process memory.

University of Winnipeg Incident: The University of Winnipeg in Canada has suffered a major cyber attack in late March 2024. Hackers stole personal data of current and former employees and students, including names, social insurance numbers, addresses, compensation details, bank account information for some staff, and academic records of students enrolled since 2018. The university is providing two-year credit monitoring services and has notified law enforcement. While the full scope is still being investigated, this represents a significant breach impacting the entire university community. Officials have not disclosed if it was a ransomware attack, but the incident disrupted network access and forced class cancellations.