Security vulnerabilities in cryptocurrency wallets and new malware being developed in the industry put the security of your bitcoins at risk.
cold carda whirlpool bath, hardware wallet all with Bitcoin presents a vulnerability that can allow the loss of funds through social engineering. According to the explanation Ben Ma, a security researcher at Shift Crypto, the vulnerability detected in the Coldcard hardware wallet is associated with the admission of the testnet, or Bitcoin test network within this wallet, which can be exploited by a malicious actor to trick their victims into believing that they would be making a transaction on the testnet, when in reality it would occur on the mainnet.
Ma presented a report where he details that this attack is not very far-fetched, since something very similar is happening detecto in Ledger wallets recently. The researcher explains that although Coldcard does not support altcoins such as Litecoin, Dash and others, like Ledger, do support the Bitcoin testnet, which can be used in the same way to trick a user into confirming a transaction and steal their funds.
“While Coldcard does not support “shitcoins,” it does support testnet. A quick test confirmed that Coldcard was indeed vulnerable in exactly the same way as Ledger. A user confirming a testnet transaction on the device could actually be spending mainnet (i.e. the real thing) funds without their knowledge.”
Although Ma's analysis reveals that there is indeed a possibility that users of this wallet are victims of social engineering, it seems that the wallet's developers, the Coinkite company, are downplaying the seriousness of the matter.
It may interest you: Coldcard: Anonymous source leaks information about MK3's Bitcoin hardware wallet chip
Coldcard is not immune to social engineering attacks
In his report, Ma explains that Coldcard developers were warned about this vulnerability, and that they agreed to a 90-day non-disclosure period to create a solution that would allow the flaw to be fixed. The company appears to have designed a solution but it has not yet been implemented, so, after the agreed time had expired, Ma decided to inform users about the risk, so that they would be alert and could take precautionary measures to protect their funds until the new version that fixes the flaw is available.
“Coinkite created a fix on September 30th but as of this date has not yet released a firmware update to mitigate potential vulnerabilities… We are therefore now disclosing the issue and encouraging Coldcard users to take appropriate precautions until an update is available.”
While stealing users' bitcoins using this attack is not an easy feat, it is not impossible either, Ma explains. The vulnerability can only be exploited if the hardware wallet device is unlocked, and it requires user interaction as well as a great deal of audacity on the part of the attacker, who has to convince the user to make a testnet transaction to the given testnet address.
Finally, Ma notes that he developed a proof of concept based on research from Monokh on Ledger, to determine if Coldcard was vulnerable to these types of attacks, and upon discovering that it was, informed the Coinkite team responsibly and immediately.
Other risks for your bitcoins, Spain in the spotlight
In addition to the possible risk of theft of cryptocurrencies, As Ma explained in his report on Coldcard, researchers from cybersecurity company AVAST also reported the discovery of a new malware called meh, which has many features that put the security of your data, files, passwords and even cryptocurrencies at risk. Meh is capable of stealing passwords from a compromised computer to mining cryptocurrencies or stealing them from wallets and purses.
According to the report presented by AVAST on its Decoded blog, Meh is a malware written in Delphi that is capable of executing a wide variety of attacks with remote access tools, and that mainly targets Spanish citizens, although several cases have also been reported in Latin American countries, such as Argentina and Mexico. AVAST has classified Meh as a very versatile tool for cybercriminals.
“The Meh password stealer mainly targets Spanish users, with more than 88.000 infection attempts in this country since June 2020. The second most attacked country is Argentina with more than 2.000 affected users.”
A malware with the capacity "Multithreading"
According to the cybersecurity company, Meh has the ability to "Multithreading" which allow it to activate multiple threads of execution, each with a specific attack function. AVAST cites an extensive list of these worker threads, which include:
- Injection;
- Installation and persistence;
- Anti-AV and Anti-IObit Malware Fighter scan;
- Coin miner;
- Torrent Download;
- Clipboard theft and keylogging;
- Cryptocurrency wallets and purses;
- Advertising fraud.
With this feature, Meh is able to execute different actions to perform different attacks on a computer at the same time. Regarding cryptocurrencies, the attacker can use Meh to infect a computer and take advantage of its computational potential to mine cryptocurrencies for himself; it also collects sensitive information from the computer and sends it to a C&C server controlled by the attacker.
“Meh is also capable of stealing cryptocurrency wallets located on the infected PC.”
The malware checks for common cryptocurrency wallet locations on the infected computer and, if any are found, sends the information to the C&C server immediately, along with a message containing the username, computer name, and a debug message for the specific cryptocurrency.
Safety recommendations
Meh is designed to target Windows users, but AVAST notes that Norton, Nod32 and Bitdefender antivirus programs were effective at detecting the malware, and recommends users keep their computers updated.
It should not be forgotten that with the current boom in cryptocurrencies, digital assets are becoming the perfect target for hackers and cybercriminals on the Internet, who every day discover or develop new attack vectors, which put your security and that of your funds at risk.
Continue reading: Anubis, the new malware capable of stealing cryptocurrency wallet credentials
