AuthorTopic: Hackers Exploiting 'Bitmessage' Zero-Day to Steal Bitcoin Wallet Keys  (Read 301 times)

Offline Palloy2

  • Administrator
  • Sous Chef
  • *****
  • Posts: 6097
    • View Profile
    • Palloy's Blog
Another new hack found, this time in PyBitmessage v0.6.2 (Linux/Mac/Windows) message encryption client.
Since this only affects v0.6.2, it means it was introduced with an upgraded version, and NOT TESTED PROPERLY by the authors or the OS library inclusion maintainers.
Duh, so what's new.

https://thehackernews.com/2018/02/bitmessage-bitcoin-hackers.html
Hackers Exploiting 'Bitmessage' Zero-Day to Steal Bitcoin Wallet Keys
February 14, 2018
Swati Khandelwal

Bitmessage developers have warned of a critical 'remotely executable' zero-day vulnerability in the PyBitmessage application that was being exploited in the wild.

Bitmessage is a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users. Since it is decentralized and trustless communications, one need-not inherently trust any entities like root certificate authorities.

Those who unaware, PyBitmessage is the official client for Bitmessage messaging service.

According to Bitmessage developers, a critical zero-day remote code execution vulnerability, described as a message encoding flaw, affects PyBitmessage version 0.6.2 for Linux, Mac, and Windows and has been exploited against some of their users.

    "The exploit is triggered by a malicious message if you are the recipient (including joined chans). The attacker ran an automated script but also opened, or tried to open, a remote reverse shell," Bitmessage core developer Peter Šurda explained in a Reddit thread.

    "The automated script looked in ~/.electrum/wallets [Electrum wallets], but when using the reverse shell, he had access to other files as well. If the attacker transferred your Bitcoins, please contact me (here on Reddit)."

Moreover, hackers also targeted Šurda. Since his Bitmessage addresses were most likely considered to be compromised, he suggested users not to contact him at that address.

    "My old Bitmessage addresses are to be considered compromised and not to be used," Šurda tweeted.

Šurda believes that the attackers exploiting this vulnerability to gain remote access are primarily looking for private keys of Electrum bitcoin wallets stored on the compromised device, using which they could/might have stolen bitcoins.

Bitmessage developers have since fixed the vulnerability with the release of new PyBitmessage version 0.6.3.2.

So, if you are running an affected version of PyBitmessage, you are highly recommended to upgrade your software to version 0.6.3.2.

Since the vulnerability affects PyBitmessage version 0.6.2 and not PyBitmessage 0.6.1, alternatively you can also consider, as suggested by Šurda, downgrading your application to mitigate yourself from potential zero-day attacks.

Although the developers did not reveal more details about the critical vulnerability, Šurda advised users to change all their passwords and create new Bitmessage keys, if they have any suspicion of their computers being compromised.

Binary files for Windows and OSX are expected to become available on Wednesday.

The investigation into these attacks is still ongoing, and we will update this article with more information as it becomes available.
« Last Edit: February 15, 2018, 02:03:13 PM by Palloy2 »
"The State is a body of armed men."

Offline Golden Oxen

  • Golden Oxen
  • Contrarian
  • Master Chef
  • *
  • Posts: 12100
    • View Profile
Re: Intel Did Not Tell US Cyber Officials about Chip Flaws until Made Public
« Reply #1 on: February 22, 2018, 04:02:06 PM »



Intel Did Not Tell US Cyber Officials about Chip Flaws until Made Public


Intel Corp. did not inform U.S. cyber security officials of the so-called Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet Inc. notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday.

Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities.

Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.

US-CERT, which issues warnings about cyber security problems to the public and private sector, did not respond to a request for comment.

Details of when the chip flaws were disclosed were detailed in letters sent by Intel, Alphabet and Apple Inc on Thursday in response to questions from Representative Greg Walden, an Oregon Republican who chairs the House Energy and Commerce Committee. The letters were seen by Reuters.

Alphabet said that security researchers at its Google Project Zero informed chipmakers Intel, Advanced Micro Devices Inc and SoftBank Group Corp-owned ARM Holdings of the problems in June.

It gave the chipmakers 90 days to fix the issues before public disclosing them, standard practice in the cyber security industry intended to give the targets of bugs time to fix them before hackers can take advantage of the flaws.

Alphabet said it left the decision of whether to inform government officials of the security flaws up to the chipmakers, which is its standard practice.

Intel said it did not inform government officials because there was "no indication that any of these vulnerabilities had been exploited by malicious actors," according to its letter.  :icon_scratch:

Intel also said it did not perform an analysis of whether the flaws might harm critical infrastructure because it did not think it could affect industrial control systems. But Intel said that it did inform other technology companies that use its chips of the issue, according to its letter.

Intel, Alphabet and Apple could not immediately be reached for comment.

AMD, ARM, Microsoft Corp and Amazon.com Inc also responded to questions from lawmakers.

Microsoft said that it did inform several antivirus software makers about the flaws "several weeks" ahead of their public disclosure to give them time to avoid compatibility issues. AMD said that Alphabet extended the disclosure deadline from the standard 90 days twice, first to Jan. 3, then to Jan. 9.

© 2018 Thomson/Reuters. All rights reserved.

https://www.newsmax.com/finance/streettalk/intel-chip-flaws-public/2018/02/22/id/844942/ :icon_study:

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
684 Views
Last post December 30, 2015, 02:17:20 PM
by Palloy
0 Replies
353 Views
Last post January 15, 2016, 03:33:21 PM
by Palloy
0 Replies
279 Views
Last post July 28, 2016, 03:51:46 PM
by Palloy