Slow fog cosine

Slow Fog Cosine: Using wallet whitelist mechanisms and combining hardware wallets for dual verification can resist "transaction record pollution attacks."

ChainCatcher message, Slow Mist's Yu Xian disclosed that the phishing technique of poisoning addresses with similar starting and ending numbers is still widespread, severely impacting the security infrastructure of the blockchain industry.Yu Xian pointed out that this type of poisoning targeting wallet transaction history mainly involves various techniques, including fake token contract codes emitting false event logs to deceive block explorers and wallets, as well as using zero-amount transfer event logs to arbitrarily fill in addresses in the from/to fields. These techniques can mislead users into believing that the transactions are from their own actions. Other common techniques include sending small amounts of funds from source addresses with the same starting and ending characters, combining clipboard hijacking technology, and impersonating well-known decentralized exchanges to output false event logs.Yu Xian recommends that users make good use of wallet whitelisting mechanisms, carefully verify complete addresses, and combine well-known hardware wallets for dual verification as defensive measures.Previously reported, two addresses suffered "transaction history pollution attacks" in the past 14 hours, resulting in a total loss of over $140,000.

Slow Fog Cosine: Users need to pay attention to the permission requests of browser extensions and maintain an isolated mindset

ChainCatcher message, Slow Mist Yuxian posted on platform X stating: "An extension can be malicious, such as stealing cookies from the target page, privacy in localStorage (like account permission information, private key information), DOM tampering, request hijacking, clipboard content retrieval, etc. Relevant permission configurations can be made in manifest.json. If users are not careful about the permissions requested by the extension, it can be troublesome.However, for an extension to be malicious and directly target other extensions, such as well-known wallet extensions, it is still not easy... because of sandbox isolation... For example, it is unlikely to directly steal private key/mnemonic-related information stored in the wallet extension. If you are concerned about the permission risks of a certain extension, it is actually easy to assess this risk. After installing the extension, you can choose not to use it first, check the extension ID, search for the local path on your computer, and find the manifest.json file in the root directory of the extension. You can then directly throw the file content to AI for permission risk interpretation. If you have an isolation mindset, you might consider enabling a separate Chrome Profile for unfamiliar extensions, at least making malicious actions controllable; most extensions do not need to be enabled all the time."

Slow Fog Cosine: Confirmed that the attacker of the CEX theft incident is the North Korean hacker group Lazarus Group, which has revealed its attack methods

ChainCatcher news, Slow Mist founder Yu Xian posted on social media, "Through forensic analysis and correlation tracking, we confirm that the attackers of the CEX theft incident are the North Korean hacker group Lazarus Group. This is a nation-state APT attack targeting cryptocurrency trading platforms. We have decided to share the relevant IOCs (Indicators of Compromise), which include some IPs of cloud service providers, proxies, etc. It is important to note that this disclosure does not specify which platform or platforms were involved, nor does it mention Bybit; if there are similarities, it is indeed not impossible."The attackers utilized pyyaml for RCE (Remote Code Execution), enabling the delivery of malicious code to control target computers and servers. This method bypassed most antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attackers is to gain control over wallets by infiltrating the infrastructure of cryptocurrency trading platforms, thereby illegally transferring a large amount of cryptocurrency assets from the wallets.Slow Mist published a summary article revealing the attack methods of the Lazarus Group, and also analyzed their use of social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfer tactics. At the same time, based on actual cases, they summarized defense recommendations against APT attacks, hoping to provide references for the industry and help more institutions enhance their security capabilities and reduce the impact of potential threats.
ChainCatcher Building the Web3 world with innovators