Hackers Systematically Drained $191 Million From Nomad Token Bridge
BlackCat took credit for ransomware attack against energy company, North Korean IT workers plagiarize online resumes to gain crypto jobs, Oz cops bar activists from using encrypted apps, much more
The Nomad token bridge, which allows transfers of tokens between Avalanche, Ethereum, Evmos, Milkomeda C1, and Moonbeam, experienced a security exploit that has allowed hackers to systematically drain virtually all of the bridge’s funds over a long series of transactions.
Nearly the entire $190.7 million in crypto has been removed from the bridge, with only $651.54 left remaining in the wallet, according to decentralized finance (DeFi) tracking platform DefiLlama. But Nomad suggested that some of the funds were withdrawn by “white hat friends” who took the funds out intending to safeguard them.
The company said that at least some of the people who took funds were acting benevolently to protect the crypto from getting into the wrong hands. The team added that it had retained the services of “leading firms for blockchain intelligence and forensics.”
Nevertheless, the Moonbeam smart contract platform from the Polkadot network, whose native GLMR token was one targeted in the Nomad exploit, went into maintenance mode at 11:18 pm UTC “to investigate a security incident.” As a result, Moonbeam’s functionality, such as regular user transactions and smart contract interactions, will be disabled.
The project revealed on Friday that Coinbase Ventures, OpenSea, and five other major companies in the crypto industry participated in an April seed round fundraising, which landed Nomad a $225 million valuation. (Brian Newar / Cointelegraph)
samczsun @samczsun1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 https://t.co/Y7Q3fZ7ezm
The Alphv ransomware group, also known as BlackCat, took credit for the attack on its leak site for an alleged ransomware attack that began last week against energy company Encevo Group’s Luxembourg entities Creos, the latest in a string of incidents involving European energy companies.
The attack took down customer portals for both companies but did not affect electricity and gas supply. The group claims to have stolen 150 GB of data, including contracts, passports, bills, and emails. They threatened to leak the data on Monday, but as of the afternoon, no data had been released. (Jonathan Greig / Bleeping Computer)
Researchers at Mandiant say that North Koreans are plagiarizing online resumes and pretending to be from other countries to get remote work at cryptocurrency firms to aid illicit money-raising efforts for the government.
The evidence detected by Mandiant reinforces allegations made by the Cybersecurity and Infrastructure Security Agency (CISA). CISA warned that North Korean IT workers are trying to obtain freelance employment abroad while posing as non-North Korean nationals to raise money for government weapons development programs.
Mandiant researchers said they had identified multiple suspected North Korean personas on employment sites that have successfully been hired as freelance employees. They declined to name the employers. (Jeff Stone / Bloomberg)
In a development that legal experts have criticized as "unusual" and "extreme,” authorities in Australia have imposed bail conditions on around 39 Blockade Australia climate protesters that prohibit them from using any encrypted messaging apps, like Signal or WhatsApp.
In April, the NSW parliament passed laws with steep fines and jail time for activities that "shut down major economic activity,” including protesting illegally on public roads, rail lines, tunnels, bridges, and industrial estates. The encryption ban states that "the defendant is prohibited from possessing or having access to an encrypted communications device and/or possessing an encrypted application/media application.”
However, large swathes of the internet are encrypted, encompassing apps from online banking to streaming services, leading to continuous worry about whether the activists are unwittingly running afoul of the rules by using their phones or the internet. (Ariel Bogle / ABC News)
Blockchain security firm Halborn issued warnings over a new phishing campaign targeting users of the popular crypto wallet MetaMask that uses emails to target MetaMask users and trick them into giving out their passphrases.
The campaign uses phishing emails that look authentic with a MetaMask header and logo and with messages that tell users to comply with Know Your Customer (KYC) regulations and how to verify their wallets. The phishing emails contain spelling errors and a fake sender’s email address and use a fake domain called metamaks.auction to send the emails. (Martin Young / Cointelegraph)
A ransomware attack on printing and mailing services provider OneTouchPoint, which provides its services to several health insurance carriers and medical providers, is having several downstream effects on its customers, prompting it to release a data breach notice last week on behalf of 34 healthcare organizations.
The company said in a notice that on July 27 that it discovered encrypted files on particular computer systems on April 28. More than a month later, the company determined that it “would be unable to determine what specific files the unauthorized actor viewed within the OTP network.” The company notified its customers on June 3, saying that the attack exposed names, subscriber ID numbers, diagnoses, medications, addresses, dates of birth, sexes, physician demographics information, family histories, social histories, allergies, vitals, immunizations, and more. (Jonathan Greig / The Record)
Youssef Mohamed, chief technology officer at pen-testing and dark web monitoring startup Buguard, said that hackers had access to dashboards to remotely manage and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy.
The Android-based payment terminal maker used in restaurants, hotels, retail outlets, and schools across the Asia-Pacific region can remotely manage, configure and update customer terminals over the internet. Mohamed said two cloud dashboards were exposed, but neither were protected with basic security features, such as two-factor authentication, which allowed hackers to access nearly 140,000 Wiseasy payment terminals worldwide.
Buguard first contacted Wiseasy about the compromised dashboards in early July, but efforts to disclose the compromise were met with meetings with executives that were later canceled without warning. According to Mohamed, the company declined to say if or when the cloud dashboards would be secured. The company confirmed it remediated the issues and added two-factor authentication to the dashboards, but it’s unclear if it notified customers of the security lapse. (Zack Whittaker / TechCrunch)
Researchers at CloudSEK uncovered a set of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users' Twitter accounts that are associated with the app.
The leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released. One of the most common scenarios for abuse would be for a threat actor to use these exposed tokens to create a Twitter army of verified (trustworthy) accounts with large numbers of followers to promote fake news, malware campaigns, cryptocurrency scams, etc.
Impacted applications include those with between 50,000 and 5,000,000 downloads, including city transportation companions, radio tuners, book readers, event loggers, newspapers, e-banking apps, cycling GPS apps, and more. Most applications publicly exposing their API keys haven't even acknowledged receiving CloudSEK's notices after a month since the cybersecurity firm alerted them, and most haven't addressed the issues. One notable exception was Ford Motors, which responded and deployed a fix on the 'Ford Events' app that was also leaking Twitter API keys. (Bill Toulas / Bleeping Computer)
Researchers at Group-IB uncovered a massive network of more than 11,000 domains used to promote numerous fake investment schemes to users in Europe.
The platforms show fabricated evidence of enrichment and falsified celebrity endorsements to create an image of legitimacy and lure in a more significant number of victims to trick them into an opportunity for high-return investments and convince them to deposit a minimum amount of 250 EUR ($255) to sign up for the fake services. More than 5,000 identified malicious domains are still active, with the UK, Belgium, Germany, the Netherlands, Portugal, Poland, Norway, Sweden, and the Czech Republic the primary target countries. (Bill Toulas / Bleeping Computer)
The Kremlin-friendly Life website said that Russian hackers have launched "a new type of attack" on American military company Lockheed Martin, which makes the M142 High Mobility Artillery Rocket System (HIMARS) that the U.S. has supplied to Ukraine.
The pro-Moscow news organization reported that the cyberattack by the Killnet and Killmilk hacker groups took place at 7 a.m. on Monday. The groups said the rocket systems, credited by the Ukrainians with shifting the balance in the war against Russia, had been responsible for thousands of deaths. (Jack Dutton / Newsweek)
Russian oligarch Dmitry Rybolovlev hired a team of private agents to spy on a romantic partner in New York, Las Vegas, and Los Angeles in late 2015, according to a trove of thousands of documents acquired by Forensic News.
The multi-billionaire used an offshore company to pay the private intelligence company, Arcanum, more than $1 million per month. In addition to massive physical surveillance, Arcanum agents apparently gained access to the romantic partner’s flight records. The firm also used body cameras on private property to confirm that the romantic partner was staying at a friend’s house in Los Angeles. (Scott Stedman and Jackie Singh / Forensic News)
Scott Stedman @ScottMStedman“Have you managed to locate the target?” Rybolovlev's attorney texted an executive at the private intelligence company Arcanum. “Working,” the executive replied, “will let you know as soon as I have something.” Straight out of a dystopian movie. https://t.co/eYlO0b1la3
Researchers at McAfee discovered on the Google Play Store a new malware strain called HiddenAds capable of starting on its own after users download one of the affected apps.
Unlike other malicious apps that need to be opened first, apps containing the HiddenAds malware begin running malicious services automatically after installation. They also continuously show advertisements on a victim’s Android smartphone and are difficult to remove once installed. Thirteen apps containing the HiddenAds malware along have been downloaded millions of times. McAfee shared its findings with the search giant, which have since been removed. (Anthony Spadafora / Tom’s Guide)
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Israeli government-appointed investigators determined that the police broke the law in obtaining information from Israelis’ smartphones and did not inform the Justice Ministry, but they did not engage in illegal hacking.
The investigators said there was no indication that the police illegally hacked the phones of Israelis mentioned in the media using the Pegasus spyware of the Israeli company NSO Group. However, they said the police gained access to information they were not legally allowed, such as calendar entries and phone contact lists. (Chen Maanit / Haaretz)
Pittsburgh-based health system Allegheny Health Network (AHN) said it experienced a “data security incident” between May 31 and June 1 in which a threat actor obtained access to files relating to about 8,000 patients.
AHN said it had not discovered any evidence that the data potentially accessed has been used fraudulently. Potentially compromised data includes patient name, date of birth, medical records, address, patient phone number, driver’s license number, and email address. Social Security numbers and financial account information may have been compromised in some cases. (Duncan Riley / Silicon Angle)
An aide to former Russian president Dmitry Medvedev said Tuesday that the politician’s social media account on popular Russian social network VKontakte had been “hacked” after a post was published questioning the sovereignty of former Soviet countries.
The post called ex-Soviet Kazakhstan an “artificial state” and accused the Central Asian country of committing “genocide” on its Russian population. The post also said that the Caucasus nation of Georgia “didn’t exist” before becoming part of the Russian empire in the 19th century. (AFP)
Related: Moscow Times