Biggest ever cryptocurrency theft / StealthWorker botnet / ProxyShell

Great thefts stir the imagination like no others. The famous D B Cooper’s case, the United California Bank robbery, or the Great Train Robbery from 1963. Do “electronic” thefts stir the same amount of emotions? It’s hard to say, but when over 600 million dollars disappears from one of the financial platforms, it will bring a lot of hype. But let’s keep our feet on the ground and ask really important questions. Namely, how does it happened, was there a way to prevent the theft, is there any chance to get the money back, and what about the victims – BinanceChain, Ethereum, and Polygon miners?

Hackers stole over $600 million in ‘biggest’ ever cryptocurrency theft

In one of the largest cryptocurrency hacks to date, cyberattackers reportedly stole $611 million in digital tokens from the decentralized finance (DeFi) platform Poly Network which specializes in cryptocurrency transfers on the Binance, Ethereum and Polygon blockchains.

Poly Network, a decentralized finance (DeFi) platform based in China, publicly acknowledged that an attacker “exploited a vulnerability” –  the function “_executeCrossChainTx”. This specific function dictates the “between contract calls” and is tied to the interoperability needed to communicate between independent blockchains. Effect? It allowed crooks to assign themselves the ownership of money processed through the platform.

Assets had been transferred to hacker’s following addresses: ETH:

0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 and BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71.

Poly Network has called on miners of the affected blockchains — BinanceChain, Ethereum, and Polygon — to blacklist tokens coming from these addresses.

Poly Network confirmed the attack on Twitter, addressing the hackers directly: “We want to establish communication with you and urge you to return the hacked assets.”…

… but only a small amount of the money is already returned. You can view the entire conversation and refund update in this Google doc linked from @LX2025.

Sources 1 | 2

StealthWorker botnet targets Synology NAS devices to drop ransomware

Synology has warned customers that the StealthWorker botnet is targeting their NAS devices in ongoing brute-force attacks that lead to ransomware infections.

Once compromised the device, threat actors employed it in a botnet used in attacks aimed at Linux systems, including Synology NAS.

The company is coordinating with multiple CERT organizations worldwide to take down the botnet’s infrastructure by shutting down all detected command-and-control (C2) servers.

Synology is also working on notifying potentially affected customers. It also urges all system admins and customers to change weak administrative credentials on their systems, enable auto block and account protection, and set up multi-factor authentication where possible. Here is the checklist:

  • Use a complex and strong password, and Apply password strength rules to all users.
  • Create a new account in the administrator group and disable the system default “admin” account.
  • Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
  • Run Security Advisor to make sure there is no weak password in the system.

System administrators that have noticed suspicious activity on their devices should report it to Synology technical support.

StealthWorker botnet was first spotted by Akamai researchers in June 2020, the bot is a Golang-based malicious code that targets Windows and Linux servers running popular web services and platforms including (i.e. cPanel / WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostgreSQL, Brixt, SSH, and FTP). Operators behind the malware use the infected hosts to launch brute force attacks against other systems.syt

Sources 1 | 2

ProxyShell vulnerability: a new way of installing backdoors for later MS Exchange access

ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated, remote code execution.

When exploiting Microsoft Exchange, the attackers are using an initial URL like:


The exploit is currently dropping a webshell that is 265KB in size to the ‘c:\inetpub\wwwroot\aspnet_client\’ folder. The 265KB is the minimum files size that can be created using the ProxyShell exploit due to its abuse of the Mailbox Export function of Exchange Powershell to create PST files. The webshells consist of a simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server.

Threat actors use the first webshell to upload an additional webshell to a remotely accessible folder and two executables to the C:\Windows\System32 folders, listed below:


If the two executables can’t be found, another webshell will be created in the following folder as random-named ASPX files.

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\

The attackers use the second webshell to launch the ‘createhidetask.exe,’ which creates a scheduled task named ‘PowerManager’ that launches the ‘ApplicationUpdate.exe’ executable at 1 AM every day.

Threat actors scan for vulnerable ProxyShell devices from IP addresses in the USA, Iran, and the Netherlands. The known addresses are:

Specialists advise admins to perform Azure Sentinel queries to check if their devices have been scanned. For those who have not recently updated their Microsoft Exchange server, it is strongly recommended to do so immediately.


Attackers use Morse code, and other encryption methods to help cover their tracks

Hackers use a range of techniques to cover their tracks on a target computer, from benign-looking communication protocols to self-erasing software programs. It’s not very often, though, they turn to Morse Code. Yet that’s exactly what played a part in a year-long phishing campaign that Microsoft researchers outlined last week.

The ongoing phishing campaign lures targets into handing over their Office 365 credentials. The primary goal is to harvest usernames, passwords, and—in its more recent iteration—other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts.

Continuously evolving evasion tactics

In the case of this new phishing campaign, attackers are using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions.

The xls.HTML or xslx.HTML attachments are divided into multiple segments encoded using different methods to appear harmless and bypass email security controls.

Attackers also changed their encryption schemes every month to try to hide their activity, using different methods for each segment and switching between plaintext HTML code, escaping, Base64, ASCII chars, and the Morse code.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Android Trojan hijacks social media in 140 countries hits 10,000 victims (ZDNet)
2. Phishing Sites Targeting Scammers and Thieves (Krebs on Security)
3. Home routers are being hijacked using vulnerability disclosed just 2 days ago (Malwarebytes Lab)
4. Microsoft patches actively exploited zero-day (CVE-2021-36948), more Print Spooler flaws (Help Net Security)
5. Adobe fixes critical preauth vulnerabilities in Magento (Bleeping Computer)
6. Chaos Malware Walks Line Between Ransomware and Wiper (Threat Post)
7. SAP Patches Nine Critical & High-Severity Bugs (Threat Post)
8. Accenture confirms LockBit 2.0 ransomware attack (Threat Post)
9. New AdLoad malware variant slips through Apple’s XProtect defenses (Bleeping Computer)
10. Kaseya’s universal REvil decryption key leaked on a hacking forum (Bleeping Computer