The command-line interface (CLI) tools available at getmonero.org may have been compromised over the last 24 hours. In the announcement, the team notes that the hash of the binaries available for download did not match the expected hashes.
The software available for download on Monero’s (XMR) official website was compromised to steal cryptocurrency, according to a Nov. 19 Reddit post published by the coin’s core development team.
The software was malicious
On GitHub, a professional investigator going by the name of Serhack said that the software distributed after the server was compromised is indeed malicious, stating:
“I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary a single transaction drained the wallet. I downloaded the build yesterday around 6pm Pacific time.”
An important security practice
Hashes are non-reversible mathematical functions which, in this case, are used to generate an alphanumeric string from a file that would have been different if someone was to make changes to the file.
It is a popular practice in the open-source community to save the hash generated from software available for download and keep it on a separate server. Thanks to this measure, users are able to generate a hash from the file they downloaded and check it against the expected one.
If the hash generated from the downloaded file is different, then it is likely that the version distributed by the server has been replaced – possibly with a malicious variant. The Reddit announcement reads:
“It appears the box has been indeed compromised and different CLI binaries served for 35 minutes. Downloads are now served from a safe fallback source. […] If you downloaded binaries in the last 24h, and did not check the integrity of the files, do it immediately. If the hashes do not match, do NOT run what you downloaded.”
In general, blockchain development communities are vigilant in tracking possible vulnerabilities and maintaining network integrity.
In mid-September, the developer of Ethereum decentralized exchange protocol AirSwap’s developers announced a different important development for their project’s security. More precisely, they revealed the discovery of a critical vulnerability in the system’s new smart contract.
In order to incentivize network integrity, some organizations have founded bounty programs that reward so-called white-hack hackers for exposing vulnerabilities.
XMR Cryptojacking Malware Smominru Updated, Now Targeting User Data
Malware Smominru mines Monero (XMR) on at least half a million infected computers and now also steals sensitive personal data.
An updated malware
Cybersecurity company Carbon Black claimed that its Threat Analysis Unit “uncovered a secondary component in a well-known cryptomining campaign” in a report published on Aug. 7. According to the firm, the malware has now been updated to “also steal system access information for possible sale on the dark web.” Per the report, the update is part of a broader trend in malware development:
“This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats. ”
The change in the malware was first discovered during an investigation into anomalous activity behavior seen across a handful of endpoints. When investigating, the researchers found “sophisticated, multi-stage malware that was sending detailed system metadata to a network of hijacked web servers.”
Far reaching implications
According to the researchers, this trend will have far-reaching implications for the cybersecurity space. More precisely, according to the report, it will “catalyze a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”
As Cointelegraph reported yesterday, computer analysts at cybersecurity firm Zscaler ThreatLabZ have found a new type of trojan that targets cryptocurrency users.
Cointelegraph first reported the discovery of Smominru in February of 2018, though the malware had allegedly been infecting computers since May 2017.