ShapeShift.io Breached by Former Employee

This week, we hear the latest on ShapeShift.io Breached by Former Employee and New Malware ‘GozNym’ Discovered by IBM Security Researchers.

Breach

ShapeShift.io Breached by Former Employee

ShapeShift.io, a Bitcoin exchange website, was hit by a security breach on April 7, which forced the website to suspend its operations indefinitely. The breach compromised the website’s server infrastructure which threatened the integrity of all transactions on the platform. ShapeShift decided to suspend all operations in order to replace the server infrastructure and to make sure nothing is amiss. ShapeShift has been working to fix vulnerabilities, patch possible attack vectors, and resolve customer refunds in a timely manner. As of April 19, ShapeShift’s website is still down for maintenance.

ShapeShift also launched an investigation with the help from Ledger Labs into who the actors behind this event were and how they managed to infiltrate ShapeShift’s systems. On April 13, ShapeShift CEO Erik Voorhees posted on Reddit “Since the investigation into the ShapeShift hack last week started, we had suspicion that someone previously on the team was involved, and that this person assisted an outside hacker. We are confident now that is indeed the case.” Voorhees has not released who this former employee is, but is currently in the midst of a civil suit related to this case. 

References: Digital Currency Exchange ShapeShift Claims Hack Was Inside Job | ShapeShift Bitcoin Trader Hack Was Inside Job, Says CEO | ShapeShift Update: Security Breach Could be an Inside Job

Mitigation Strategies:

Malware

New Malware ‘GozNym’ Discovered by IBM Security Researchers

The IBM X-Force research team has uncovered a new hybrid Trojan, dubbed ‘GozNym’, that is a combination of the known Nymaim dropper and Gozi financial Malware. The Malware has been used to attack 24 different banks, credit unions, e-commerce platforms and retail banks in the United States and Canada since the start of April, and purportedly has stolen over $4 million from its victims. This Malware is especially dangerous because it targets the actual customers, lying dormant on their computers until the user logs into their bank account, at which point the Trojan steals their sensitive information. The new hybrid Malware leverages the stealth and persistence of the Nymaim dropper and parts from the Gozi ISFB Malware enable the Trojan to commit fraud via infected Internet browsers.

According to IBM, the ‘GozNym’ sample they investigated can currently be detected by most major antivirus vendors based on its signature. Despite this, it is clear that bad actors are constantly searching for new zero-day exploits to leverage due to the increased number of modifications and variations being observed and the fact that security bypass and antivirus evasion mechanisms are constantly changing.

References:  New malware GozNym is stealing millions from U.S. bank account holders | New GozNym banking malware steals millions in just days | Hybrid Trojan “GozNym” Targets North American Banks

Mitigation Strategies:

  • IDS Signatures would detect the intrusion, network anomalies, and possible data leakage.
  • Network traffic analysis to detect data exfiltration.
  • Web Application Firewalls (WAFs) could detect malicious activity attempting to penetrate web apps.

Top 20 IP Addresses

69.195.129.72 208.100.26.231
188.118.2.26 46.109.168.179
118.170.130.207 81.183.56.217
114.44.192.128 5.9.96.162
37.237.138.30 189.80.70.97
89.36.212.162 200.103.54.26
77.93.108.32 188.227.235.22
185.25.151.159 177.133.190.8
31.184.195.114 177.193.242.148
222.186.31.188 46.119.112.23

*IP addresses provided by Recorded Future.