Cryptocurrency theft and more: first officer's blog - week 44

Cryptocurrency theft, unpatched software and more. Here are the latest stories from the world of cyber risk.

Mike Parkin | March 27, 2023

The ongoing voyages of the Federation Support Ship USS [REDACTED]

Moving at maximum warp, it didn’t take long for the [REDACTED] to reach the source of the distress call. Per standard procedure, we also contacted Starfleet Command and let them know what we were doing. There had been instances in the past where pirates, raiders, or other hostiles, had used false distress signals as bait. Given the nature of the original call, we expected this to be something of that sort. 

Dropping out of warp, our sensors picked up the somewhat jumbled mass of a [REDACTED] ship, superficially similar to the ship we had encountered several months earlier transporting the consultants with their non-functional equipment. The ship was surrounded by a debris field that, to be fair, was hard to distinguish from the ship itself.  

We were already at Yellow Alert as the ship left warp and helm activated the shields at standard power as we decelerated to a stop just outside the debris field. Per protocol, we scanned them before opening hailing frequencies, which showed that the ship’s power was at least on, though their weapons and shields were not active. We also noted that there were a lot of weapons mounted, though they seemed to be an awkward mix of components from at least five different races. 

That was actually expected from a [REDACTED] ship. They were known to scavenge, steal, or sometimes buy components from anyone or anything they encountered. Somehow, they managed to pull these disparate components into a working starship. 

With a nod from the captain, comms opened hailing frequencies to the apparently stricken ship. “[REDACTED] vessel, this is the Federation Starship USS [REDACTED] responding to your distress call. What is the nature of your emergency?” 

First voice: “You came to help us.” 

Second voice: “Yes, you came.” 

Comms: “Yes. We are here to assist. Please state the nature of your emergency.” 

First voice: “Our ship is broken. We need yours.” 

Second voice: “Yes, yours. You should give us yours.” 

The communications officer frowned, looked at the captain, who made a gesture to helm, who dialed the shields to high power, before nodding back to comms, who continued: “Sorry, [REDACTED] vessel, that won’t be possible. Is there some other way we can render assistance? 

First voice: “We are strong. We want your ship now.” 

A moment later, something in the debris field detonated, and a shockwave of energy washed over the ship. A moment after that the lights went out, leaving helm to mutter a rather sardonic “Well, that’s not good.” 

C’mon, people. Patch already! 

What happened 

Researchers have reported that ESXi servers are still being targeted by threat actors exploiting CVE-2021-21974 to compromise vulnerable hosts. Apparently, over 3200 hosts were affected by a recent ransomware campaign that hit multiple countries, with France being the most affected. VMWare released a patch in February 2021, showing that there are still many organizations that have not kept up with their patches. 

Why it matters 


Patch, people! Seriously. ESXi is not an obscure application that only a handful of people use and may not even be supported. No. It is a mainstream virtualization platform that’s used by everyone from small shops to massive Enterprises and is well supported by a world-respected vendor. There is no excuse for not patching these systems two years after the patches were released. Full stop. 


That said, this is a perfect example of the “long tail” effect. That’s where the vast majority of systems are patched within days of a patch coming out, with more being patched over time, until there is this ever-decreasing “tail” of unpatched systems that eventually fall away due to being taken off the air or finally getting patched. 

One of the core tenets of risk management is staying on top of your patches, which is why most asset management tools and vulnerability scanners highlight out-of-date systems and applications, and tools like Vulcan Cyber can bring it all together. So, just patch. It’s a Good Thing™. 

What they said 

For better or worse, vulnerabilities always get attention.

I’m pretty sure this violates a couple of treaties 

What happened 

Australian flagship carrier, Qantas, has warned pilots operating in the Western Pacific and South China Sea about incidents of interference with VHF communications and GPS navigation, with a strong indication that the source of the interference is Chinese warships operating in the region. The airline has stated that at no time were the aircraft or passengers at risk. 

Why it matters 

While this isn’t what we would typically consider a cyber security incident, it does line up with other incidents we have seen in our space. The Peoples Liberation Army Navy (PLAN), China’s Navy, has shown a willingness to engage in activities that are widely considered hostile, if not acts of war. And we’ve seen the same thing with state and state-sponsored threat actors. They push and probe and execute both criminal and espionage attacks for profit, disruption, and information, but it never rises to the level of “international incident.” 

The real difference between a cyber attack and messing with a commercial airliner is that a cyber attack might hurt someone in the real world, taking out a hospital or part of the power grid, for example, while interfering with an airplane can have much graver consequences. Fortunately, taking out GPS or VHF communications, or even messing with the radar altimeter, isn’t going to bring a plane down. But it does show a willingness on the PLAN’s part to push the limits of their power. 

What they said 

This story has really gained altitude

Oh look, another cryptocurrency theft 

What happened 

Unknown attackers have exploited a flaw in a bitcoin ATM system and stole in excess of $1.5M worth of cryptocurrency. The attack led the vendor, General Bytes, to shut down their cloud management services of the ATM terminals, and has forced the terminals’ operators to take over local management of their systems. This is the second reported breach of General Bytes systems in seven months, leading to renewed concerns over cryptocurrency theft. 

Why it matters 

Cryptocurrencies have gained in popularity over the last several years, with even large financial institutions joining the party. But crypto remains a volatile, unregulated, immature, and apparently insecure place to keep your money. Given the number of recent attacks against cryptocurrency exchanges and related cryptocurrency theft, it’s a surprise anyone’s still willing to trust it. Yes, it does add some anonymity to your transactions. But that’s only an advantage in certain use cases. Outside of those specific use cases, it would seem the risks outweigh the benefits. 

Full disclosure: I consider myself a cryptocurrency-skeptic. The advantages mostly seem to benefit criminal elements, there is little or no regulation, the markets are volatile, and there are non-trivial costs associated with crypto mining. Incidents like this just add to the skepticism. 

What they said 

The only thing hotter than cryptocurrency? Cryptocurrency theft. Read more. 


Want to get ahead of the stories?

patch management best practices

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy