Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Experts blame North Korea-linked Lazarus APT for the Harmony hack

North Korea-linked Lazarus APT group is suspected to be behind the recent hack of the Harmony Horizon Bridge. Recently, threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony. The company reported the incident to the authorities, the FBI is investigating the cyber heist with the help of several cybersecurity firms.  Harmony’s […]

Horizon Harmony Bridge

North Korea-linked Lazarus APT group is suspected to be behind the recent hack of the Harmony Horizon Bridge.

Recently, threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony. The company reported the incident to the authorities, the FBI is investigating the cyber heist with the help of several cybersecurity firms. 

Harmony’s Horizon Bridge allows users to transfer their crypto assets from one blockchain to another, the company immediately halted the bridge to prevent further transactions and notified other exchanges.

The company also offers a $1 million bounty in exchange for the return of the funds.

The blockchain security firm CertiK published a detailed analysis of the incident, it confirmed that the threat actors were able to access the owners of Horizon’s multiSig wallets, then drained the funds from Harmony.

“On June 23, 2022 at 11:06:46 AM +UTC, the bridge between Harmony chain and Ethereum experienced multiple exploits. Our expert analysis has identified twelve attack transactions and three attack addresses.” reads the analysis published by CertiK. “Across these transactions the attacker netted various tokens on the bridge including ETH, USDC, WBTC, USDT, DAI, BUSD, AAG, FXS, SUSHI, AAVE, WETH, and FRAX. The transactions vary in value but range from $49,178 to upwards of $41,200,000. The attacker accomplished this by somehow controlling the owner of the MultiSigWallet to call the confirmTransaction() directly to transfer large amounts of tokens from the bridge on Harmony, which led to a total loss around $97M worth of asset on the Harmony chain which the attacker has consolidated into one main address.”

On June 27, the threat actors behind the cyber heist culprit have begun transferring the funds (roughly $39 million) through the Tornado Cash mixer service to launder the illicit profits.

Harmony

The good news is that the blockchain security firm Elliptic was able to analyze the transactions even after the use of the mixer service.

According to Elliptic, the North Korea-linked Lazarus APT was behind the attack.

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds. Lazarus is believed to have stolen over $2 billion in cryptoassets from exchanges and DeFi services.” reads the report published by Elliptic. “The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members. Such techniques have frequently been used by the Lazarus Group.”

According to the firm the threat actors compromed the cryptographic keys of a multi-signature wallet, likely through a social engineering attack aimed at Harmony team members.

Elliptic researchers pointed out that the relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with nighttime hours in Asia-Pacific time zone.

“The regularity of the deposits into Tornado over extended periods of time suggests that an automated process is being used. We have observed very similar programmatic laundering of funds stolen from the Ronin Bridge, which has been attributed to Lazarus, as well as a number of other attacks linked to the group.” concludes the post.

Harmony has since notified all cryptocurrency exchanges and involved law enforcement and blockchain forensic firms to help in the recovery of stolen assets. It’s also offering “one final opportunity” for the cyber thieves to send the funds back with anonymity and “retain $10 million and return the remaining amount” by July 4, 2022, 11 p.m. GMT.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Harmony)

[adrotate banner=”5″]

[adrotate banner=”13″]