CryptoCore: A group of hackers believed to be operating out of Eastern Europe has stolen approximately $200 million USD from online exchanges. The threat group, known as CryptoCore, has been active since 2018 and are suspected of being tied to as many as 20 other attacks. The attacks which have been attributed to the group with high confidence include five crypto-currency exchanges located in the United States, Japan, and the Middle East. Surprisingly, according to reports, the group’s tactics have not changed in the year and a half that they have been active. The group conducts reconnaissance activity against the target exchanges, infrastructure and employees, then targets employees with phishing attacks. Interestingly the phishing attacks are not carried out against corporate emails initially—personal accounts are targeted first due to their security being weaker than most corporate accounts. The initial phase of phishing emails against personal accounts allow for further information gathering by the group. Once phishing attacks are launched against employee’s corporate accounts, they are done so with emails spoofed from the accounts of executives who are known to have interacted with the targeted employee. These phishing emails are then used to plant malware on the victim’s machine to collect passwords to management accounts. These passwords are then used by CryptoCore to access accounts and wallets, disable two-factor authentication systems, and transferring funds out of “hot wallets.” Hot wallets are wallets where crypto-currency is stored online and able to be accessed from anywhere, making them an extremely tempting target for thieves.
Utilizing spoofed executive emails to target employees with elevated levels of access is not a new tactic. Hackers have used this tactic for the theft of funds from corporate accounts through fraudulent wire transfers, as well as targeting employee tax data for several years. In most cases these spoofed emails are used in conjunction with social engineering techniques to convince employees to send information or funds. The utilization of spoofed emails for malware delivery is a unique approach, but one that can be defended against with strong network defense. Endpoint Detection and Response (EDR) solutions can assist in the discovery of spyware tools like those being employed in the attacks carried out by CryptoCore. More information can be found at https://www.zdnet.com/article/cryptocore-hacker-group-has-stolen-more-than-200m-from-cryptocurrency-exchanges/