the first phase of security incident in august

Posted by punzalan at 2020-02-27

Wenweishiqi / Murasaki / lazy little fat house

0x01 bitfinex, a bitcoin trading website, has been hacked, worth hundreds of millions of RMB

Bitfinex, a bitcoin trading site, recently announced that it would shut down the site for several days to maintain vulnerabilities.

In bitfinex, users can register and trade different cryptocurrencies. According to Alexa's website ranking, bitfinex is not well-known at present, but its popularity has been rising.

Some time ago, the website received many complaints from users, who claimed that the funds under their accounts had been stolen. On August 2, bitfinex engineers discovered a vulnerability through which hackers could steal user funds. Later, bitfinex announced the closure of the website, and issued a notice on the website, during which user funds will be frozen.

Later, a statement issued by the staff who claimed to be bitfinex confirmed that about 119756 bitcoins had been stolen by hackers, about $67 million (440 million yuan), and each user's account balance would lose 36.067%, which would be the second largest theft in bitcoin history

Up to now, bitfinex has only found bitcoin stolen, and no other virtual currency has been stolen yet.

0x02 Blizzard is attacked by DDoS again and hero League is shot

On August 3, Blizzard's servers in Europe and the United States, as well as the servers of hero alliance in North America, were attacked and crashed. Later, the hacker organization calling itself poodlecorp announced on twitter that it was responsible for this, saying that it launched DDoS attacks on some servers of Blizzard and hero alliance.

Then Blizzard confirmed that the server was attacked.

Poodlecorp later announced that it would divert its attack. Poodlecorp claims to have successfully captured many famous corporate servers, including hero League,, pokemengo, pornhub, etc

In the first half of the year alone, Blizzard encountered at least three large-scale DDoS attacks, the largest of which came from lizard, a famous hacker organization.

0x03 new attack technology can steal user information from HTTPS website

Recently, security experts have shown how to use advertisements on to attack other HTTPS protocol websites.

First of all, HTTPS (full name: Hyper Text Transfer Protocol over secure socket layer) is an HTTP channel aiming at security. The biggest difference between it and HTTP protocol is that there is more SSL layer encryption, which can be understood as the secure version of HTTP. Now it is widely used in security sensitive communication. Security has always been one of the highlights of HTTPS.

But now, the discovery of heist technology allows attackers to steal the encrypted personal information of the target user when they can't monitor the end user's network communication data. In this way, they can carry out attacks by hiding a seemingly harmless JavaScript file in a webpage advertisement or website page without resorting to man in the middle attack, Compared with the previous crime attacks and break attacks, this technology breaks through more restrictions and only needs to induce the target user to visit a malicious website.

Van goetheim, a security expert involved in the development of the technology, said in an interview: "the presence of heist technology will make many other attack technologies easier to carry out. Before that, in order to carry out certain types of attacks (such as crime attacks and break attacks), attackers may also need to resort to methods such as man in the middle attacks. But now, they only need to lure the target user to visit a malicious website, and they can successfully achieve the attack. "

So how to resist this attack, van goetheim said: "I now only know one way to mitigate the impact of this attack, which is to disable third-party cookies. In this way, the response information sent by the HTTPS website is irrelevant to the target user. " At present, most web browsers will turn on the third-party cookie function by default. In addition, some online services must also require users to open third-party cookies, otherwise the service will not work normally.

That is to say, there is no good way to deal with heist at present, and the basic defense measures deployed by some websites are not very helpful. If there is a large-scale heist attack in the future, there is no good solution, and it is speculated that there may be many security events related to this.

For technical analysis of this attack method, please refer to (

0x04 high risk vulnerability exposed by Qualcomm, 900 million Android users in the world may be affected

Today, security experts have found a series of serious Android security vulnerabilities in Qualcomm's chip, which will affect more than 900 million Android devices. What's more, most of the Android devices affected by the vulnerability may never be fixed.

Researchers from check point security disclosed four new vulnerabilities at the def con 24 security conference in Las Vegas. This set of vulnerabilities is code named "quadrooter". These vulnerabilities exist in Android devices equipped with Qualcomm chips. The affected version of Android system is Android 6.0 and below. Attackers can exploit these vulnerabilities to gain full access to devices equipped with Qualcomm chips.

The four vulnerabilities are as follows:

1. Cve-2016-2503: this vulnerability has been found in the GPU driver of Qualcomm chip and has been fixed.

2. Cve-2016-2504: the vulnerability has been found in the GPU driver of Qualcomm chip and has been fixed.

3. Cve-2016-2059: the vulnerability has been found in the kernel module of Qualcomm chip and has been fixed.

4. Cve-2016-5340: the vulnerability has been found in the GPU driver of Qualcomm chip and has been fixed.

The attacker only needs to develop a simple malware. Once the malware is successfully installed in the target device, the attacker can directly obtain the root access rights of the infected device, which means that the attacker can completely control the device without any interaction with the user.

There are many affected devices, among which the popular ones are:

-Samsung Galaxy S7、Samsung S7 Edge

-Sony Xperia Z Ultra

-OnePlus One、OnePlus 2、OnePlus 3

-Google Nexus 5X、Nexus 6、Nexus 6P

-Blackphone 1、Blackphone 2

-HTC One、HTC M9、HTC 10

-LG G4、LG G5、LG V10

-New Moto X(Motorola)

-BlackBerry Priv

But it is definitely not limited to this, because the number is too large to list one by one.

Android security situation has been worrying, often a vulnerability can affect a large number of devices through simple attacks, but a large part of it is likely to never be fixed. Fortunately, this group of vulnerabilities were discovered by security researchers (white hat) and have been fixed. Otherwise, the consequences of large-scale malicious exploitation are unimaginable.

Recently, Qualcomm's processor chips have frequently exposed vulnerabilities. Even the mainstream brands of mobile CPUs and GPUs have a lot to strengthen in security technology, especially for a number of domestic manufacturers.

*Security report on quadroot vulnerability (

*Technical article of Google Project Zero project team http://google project

*Patch repair

0x05 NSA is hacked and its hacking tools are leaked

On August 15, an unknown hacker (perhaps a group) posted a statement on the Internet claiming that they had successfully hacked into the "equation group" - a group that allegedly has a strong connection with the intelligence organization NSA - and dragged a bunch of hackers (malware, personal vulnerability pants, and some hacker tools). It's unbelievable, but according to some cyber security experts who have detected data leaks, these hacking tools are all legal.

Hackers have offered to demand $568 million worth of bitcoin to redeem the leaked tools and data

What's more, these hackers, who call themselves "shadow spokesmen", require 1 million bitcoin (more equivalent to $568 million) to release "the best" hacker tools and more data at the auction.

Kaspersky, a security firm, has long been considered part of the NSA's "equation set" team, describing it as "a threat role in the past 20 years that has transcended any known complex technology."

The equations team, a US government sponsored hacking group, is also believed to be linked to the once infamous regin and Stuxnet worm attacks, but this speculation will never be confirmed.

Two days ago (August 13), "shadow spokesperson" released some files that claimed to be deleted from GitHub by "equations" team and Tumblr. And it also shows part of the contents of the document "firewall leak in China and the United States"

This file contains installation scripts, configuration control servers, and suspected apt attacks against us firewall and router manufacturers (Cisco juniper, Fortinet).

According to the leaked documents, Topsec, a Chinese company, is also the target of an equation group team.

Some of the hacking tools that Edward Snowden had leaked, such as "banagle" and "epicbanana," were mentioned in the leaked documents. "

"We are following the steps of" equation system ", as the" shadow spokesman "said," we found their sources, and then successfully hacked them, and we found many of their hacker network attack tools. Look at this picture, we will release some of their documents for free, isn't this the best evidence? "

Although the authenticity of the document has not been tested, many security experts say——

"I haven't tested this vulnerability yet, but they certainly look like real exploits," Matt suiche, founder of Comae technologies, a UAE cyber security company, told Daily dot.

However, some people think that the leak may be just a simple prank. The bitcoin auction is just a trick to distract the media.

"If it's a prank, the perpetrator must have put a lot of effort into it." Security expert grugq told headquarters. Because the leaked documents all look reasonable.

So far, it has been confirmed that the released fortify and Cisco utilization codes can work.

A video uses the SNMP vulnerability exploitation tool published by it to directly control a Cisco ASA device in privileged mode without password

(video address: show/id xmty4nzgxntm0ma = =. HTML)

File download #! Zeau1aql! Owj63n-d6lcucq4ay0cv hx8kn7mesa1ilh5ujku

Decompress password: the equationgroup



Major events continue to update after physical recovery.

Adopting the opinions of friends, this article is a lot simpler, with some code and complex content analysis deleted (because most friends can't read it, it seems lengthy)

It is suggested that it be noted in the comment area.

In addition, major events attract people all year round..

This article does not accept any form of unauthorized reprint, and the consequences of unauthorized reprint shall be borne by yourself


By Wei seventeen