APT-C-26 is an APT group that has been active since 2009. According to the research by an overseas security vendor, the group’s earliest attack may be associated with the “Operation Flame” which was a large-scale DDOS attack on Korean government’s website in 2007. Lazarus may also be the group behind the hacking incident of Sony Pictures in 2014, the data breach of the Bank of Bangladesh in 2016 and other infamous attacks such as the “Wannacry” ransomware that swept across the globe in 2017. Since 2017, the group has been expanding its targets of attack and increasingly aimed at economic interests. In earlier attacks, the group mainly targeted the banking system of traditional financial institutions. Now, it has begun to attack global cryptocurrency organizations and related individuals.

阅读全文 »

古河@360 Vulcan Team

综述

asset是EOS官方头文件中提供的用来代表货币资产（如官方货币EOS或自己发布的其它货币单位）的一个结构体。在使用asset进行乘法运算（operator *=）时，由于官方代码的bug，导致其中的溢出检测无效化。造成的结果是，如果开发者在智能合约中使用了asset乘法运算，则存在发生溢出的风险。

阅读全文 »

Yuki Chen of Qihoo 360 Vulcan Team

Description

The asset structure is defined in EOS’s system header file, it can be used to define the amount of some tokens (such as the official EOS token or some custom tokens defined by user). Recently we discovered a bug in asset’s multiplication operator（operator *=） which makes the integer overflow check in the function to have no effect. If a developer uses asset multiplication in his EOS smart contract, he may need to face the risk of integer overflow.

阅读全文 »

漏洞报告者

Yuki Chen of Qihoo 360 Vulcan Team Zhiniang Peng of Qihoo 360 Core Security

漏洞描述

我们发现了EOS区块链系统在解析智能合约WASM文件时的一个越界写缓冲区溢出漏洞，并验证了该漏洞的完整攻击链。 使用该漏洞，攻击者可以上传恶意的智能合约至节点服务器，在节点服务器解析恶意合约后，攻击者就能够在节点服务器上执行任意代码并完全控制服务器。 在控制节点服务器后，攻击者可以将恶意合约打包进新的区块，进而攻击和控制其他新的节点，最终攻击和控制整个EOS网络。

阅读全文 »

Vulnerability Credit

Yuki Chen of Qihoo 360 Vulcan Team Zhiniang Peng of Qihoo 360 Core Security

Vulnerability Description

We found and successfully exploit a buffer out-of-bounds write vulnerability in EOS when parsing a WASM file. To use this vulnerability, attacker could upload a malicious smart contract to the nodes server, after the contract get parsed by nodes server, the malicious payload could execute on the server and taken control of it. After taken control of the nodes server, attacker could then pack the malicious contract into new block and further control all nodes of the EOS network.

阅读全文 »

by 360核心安全

最近，360检测了一种新型攻击，黑客可以利用漏洞伪造算力，进而从矿池中窃取数字货币。

经过分析，我们发现此类攻击利用了一个equihash算法(equihashverify: https://github.com/joshuayabut/equihashverify) 实现上的逻辑漏洞。该漏洞可导致恶意矿工向z-nomp矿池提交虚假share，从而伪造自己的算力。从矿池中窃取诚实矿工的挖矿成果。由于目前许多新生数字货币均使用equihash算法进行工作量证明，且多数equihash矿池依赖于该equihashverify进行矿工算力校验，所以该漏洞严重已经影响多个数字货币矿池。

阅读全文 »

Report provided by 360 Core Security

Author: Zhiniang Peng

Recently, we detected a new type of attack which targets some equihash mining pools.
After analysis, we found out the attacked equihash mining pools are using a vulnerable equihash verifier (equihashverify : https://github.com/joshuayabut/equihashverify) to verify miners’ shares. There is a aere is alogic bugslogic vulnerability in this verifier, so attacker can easily fake mining shares which can bypass the equihash solution verifier without using so much computing power. This vulnerability has a wide impact because the verifier (equihashverify) is previously used by the zcash official open source mining pool (node-stratum-pool), and many new cryptocurrencies which use equihash as PoW algorithm are forked from this pool.

阅读全文 »