Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Weekly News Digest #39

Weekly News Digest #39

Share via:

Cybersecurity spar between Biden and Putin at Geneva summit

Ransomware attacks were one of the main points of discussion that took place between Biden and Putin at Geneva. It was the first in-person summit for these presidents. At his speech after the end of the three-hour meeting with Baiden, Putin denied Russia’s support for ransomware groups and, generally, refused to answer any questions somehow connected to cyberattacks. Although Biden did not specify any details of his meeting with Putin, he noted that the topic related to ransomware attacks was actively discussed during the meeting.

Biden provided Putin with the list containing the 16 specific entities defined as the objects of critical infrastructure that should be off-limits to attack. These entities represent such sectors as chemical, communications, defense industrial base, emergency, energy, financial services, etc. The G7 countries issued the statement calling Russia to fight against malicious groups responsible for committing ransomware attacks located on its territory. This summit confirms that the matter of cybersecurity is now included in the agenda of global leaders.

Ukrainian police partner with US and South Korea to fight Clop ransomware members

Ukrainian police raided 21 buildings near Kyiv that were presumably connected to the Clop ransomware group. As a result of this raid, 6 people were arrested. The malicious group is responsible for committing a series of cybercrimes against well-known brands such as Shell, Kroger, and even Stanford University. The total damage caused to victims due to the cyberattacks carried out by this group amounted to $500 mln. The Cyberpolice Department of the Ukrainian National Police cooperated with South Korean officers, Interpol, and unnamed US agencies to implement this anti-ransomware operation.

During the raid, police seized dozens of computers and other equipment in addition to $185K in cash and the server infrastructure was taken down. South Korea was particularly interested in fighting this ransomware group since 4 South Korean companies experienced heavy attacks carried out by this group in 2019. The Clop group was targeting its victims by actively exploiting the Accellion vulnerability. The group targeted mostly large organizations.

Over a billion CVS Health records exposed online

The key reason behind the exposure of data was the misconfiguration of cloud services that impacted security. The online database belonging to CVS Health was not protected by any password as well as did not have any authentication barriers to prevent unauthorized entry. The records found by WebsitePlanet together with researcher Jeremiah Fowler were connected to the US pharmaceutical and healthcare giant that is the owner of such brands as Aetna and CVS Pharmacy. The 204 GB database contained such information as visitor IDs, device access information, session IDs, and other data.

The information contained in the database may be used to carry out targeted phishing campaigns. Also, the giant’s competitors may be also interested in viewing the exposed data to gain competitive advantages. According to CVS Health, the unnamed vendor was managing the database.

$30,000 bounty paid by Facebook for exploit exposing private Instagram content

The researcher awarded by Facebook reported the company on the vulnerability in the privacy features of Instagram. The vulnerable points in Instagram could have allowed malicious actors to view private media such as archived posts, stories, and reels on the platform without even following the targeted page. By obtaining the Media ID of the target user, attackers could send a POST request to Instagram’s GraphQL endpoint. As a result, display URLs and image URLs as well as like and save counts were exposed.

Attackers could extract sensitive data without being accepted as a follower, thereby, one of the main features of Instagram designed to ensure privacy of users did not perform its key function. Also, the endpoints could be used by malicious actors to extract the addresses of users’ Facebook pages that were linked to Instagram accounts. Bug bounty hunter Mayur Fartade reported his findings regarding the Instagram vulnerabilities within the framework of Facebook Bug bounty program on April 16. The vulnerable endpoints were patched by Facebook on 29 April.

Another 0-Day vulnerability is exploit‌ed ‌in‌-the‌-Wild. Chrome Browser update is required.

Chrome Browser update for Windows, Mac, and Linux was rolled out by Google to address 4 security vulnerabilities including the 0-day one that are exploited in-the-wild. The vulnerability tracked as CVE-2021-30554 has a high severity level. Successful exploitation of this vulnerability may allow hackers to corrupt valid data or even execute unauthorized code or commands. The issue was reported to Google by an unnamed individual on 15 June. According to the company’s program manager Srinivas Sista, the company was aware of the exploitation of this vulnerability in-the-wild.

Since the beginning of this year, it is the 8th zero-day vulnerability fixed by Google. Google recommends its users to update to the latest version (91.0.4472.114). It is important to notice, that the development was made just 10 days after Google had patched the other zero-day flaw exploited in-the-wild tracked as CVE-2021-30551.