Blogs

Is Blockchain Immune from Cyberattacks?

By Deborah Dobson posted 06-20-2018 08:34

  

Is Blockchain Immune from Cyberattacks?

With every new technology, there are security risks. Blockchain is no exception. The recently published McAfee Blockchain Threat Report by McAfee’s Advanced Threat Research team analysts explains the current threats against the users and implementers of blockchain technologies. Blockchain technologies and its users are being heavily targeted by profit-driven cybercriminals. Attackers have adopted many methods to target consumers and businesses. In January the largest-ever theft of cryptocurrencies occurred against the exchange Coincheck, resulting in the loss of $532 million in NEM coin.

The most common methods of attack include:

Phishing

Phishing attacks are the most familiar blockchain attacks due to their prevalence and success rate. In July 2017, Iota suffered an attack that essentially enabled attackers to steal from any wallet. Victims lost $4 million in a phishing scam that lasted several months. Cybercriminals typically don’t care who their phishing victims are as long as cryptocurrency ends up in the attacker’s hands.

Malware

2016 saw an explosion in the number of malware families being used by cybercriminals. Malware was the primary tool used by bad actors to acquire cryptocurrency. While not new, ransomware was favored due to the benefits of transferring and hiding funds through cryptocurrencies. Cybercriminals also had easy-access tools such as HiddenTear which was meant to be an “educational” tool on ransomware, but quickly was used by bad actors to build hundreds of variants. These variants generally required Bitcoin payments for ransom.

 In 2017, malicious actors began experimenting with alternative cryptocurrencies such as Monero and Dash. The ransomware GandCrab discarded Bitcoin for Dash. GandCrab and other malware launched frequent attacks against Microsoft Internet Explorer and Adobe Flash Player through malvertising.

Cryptojacking

Cryptojacking is the method of hijacking a browser to mine cryptocurrency. Like ransomware, cryptojacking experimented with altcoins. In 2017, the Archive Poster plug-in for the Chrome browser was found to be mining Monero coins without consent. Victims first learned of the issue when some noticed high CPU usage on their computers. By then 100,000 had downloaded the miner.

Many organizations implement miners to monetize their visitors’ device resources, but not all disclose mining to their site visitor. In addition, the website owner might not have been the one adding the cryptojacking code as was the case of YouTube. A flaw in the popular video-sharing site allowed malicious advertisers to inject cryptojacking code into advertisements to mine Bitcoin or Ethereum. YouTube quickly removed the malicious advertisers and blocked the mining advertisements.

Implementation Vulnerabilities

Implementation vulnerabilities are flaws introduced when new technologies and tools are built on top of blockchain. It is important to note that the closer one gets to the core of the blockchain technology, the more difficult it is to succeed with the attack. One example is the cryptocurrency Verge which was found to have numerous vulnerabilities. Attackers exploited the vulnerabilities to generate coins without spending any mining power.

In blockchain implementations such as Ethereum, user code is part of the ledger through smart contracts. A smart contract is written by a user and submitted as part of the ledger. The contract can execute logic based on the rules of the contract. Like any code, it may come with bugs and vulnerabilities. The Parity wallet library, used in conjunction with Ethereum smart contracts was found to have a critical vulnerability in November 2017. This resulted in the freezing of $150 million worth of Ethereum coins.

Conclusion

Blockchain technology is attracting a lot of interest for solving business needs beyond decentralized payments. It is important for industries that are researching and implementing blockchain technologies to expect that cybercriminals will deploy known and yet-unknown techniques to compromise them. Learning from recent cyberattacks will help organizations make better decisions to secure future technologies.


#Blockchain
0 comments
9 views

Permalink