Topic: WARNING!! Official Monero Site Hacked to Distribute Crypto Stealing Malware!! (Read 175 times)
November 20, 2019, 07:32:52 AM
This is why verifying developer's signatures is crucial - there's a very good chance it will protect you from an attack like this one, unless of course attackers were able to steal developer's signing keys. I also generally avoid installing the newest versions right on the release day, and prefer to wait some time for other users to confirm that everything is ok - the new version isn't malicious or didn't introduce some severe bugs.
November 20, 2019, 06:54:37 AM
This is important!! DO NOT DOWNLOAD ANYTHING FROM GETMONERO.COM! (now it might be save, but still better to wait a bit).
IF you have downloaded and run anything from the their official website yesterday, it's maybe already too late .
Additional info from Monero community:
Source : https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html
IF you have downloaded and run anything from the their official website yesterday, it's maybe already too late .
Quote
What an irony — someone hacked the official website of the Monero cryptocurrency project and quietly replaced legitimate Linux and Windows binaries available for download with malicious versions designed to steal funds from users' wallets.
The latest supply-chain cyberattack was revealed on Monday after a Monero user spotted that the cryptographic hash for binaries he downloaded from the official site didn't match the hashes listed on it.
Following an immediate investigation, the Monero team today also confirmed that its website, GetMonero.com, was indeed compromised, potentially affecting users who downloaded the CLI wallet between Monday 18th 2:30 am UTC and 4:30 pm UTC.
Read more in the souce link: https://thehackernews.com/2019/11/hacking-monero-cryptocurrency.html The latest supply-chain cyberattack was revealed on Monday after a Monero user spotted that the cryptographic hash for binaries he downloaded from the official site didn't match the hashes listed on it.
Following an immediate investigation, the Monero team today also confirmed that its website, GetMonero.com, was indeed compromised, potentially affecting users who downloaded the CLI wallet between Monday 18th 2:30 am UTC and 4:30 pm UTC.
Additional info from Monero community:
Quote
Warning: The binaries of the CLI wallet were compromised for a short time
Posted by: ErCiccione
November 19, 2019
Yesterday a GitHub issue about mismatching hashes coming from this website was opened. A quick investigation found that the binaries of the CLI wallet had been compromised and a malicious version was being served. The problem was immediately fixed, which means the compromised files were online for a very short amount of time. The binaries are now served from another, safe, source. See the reddit post by core team member binaryfate.
It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason.
We have two guides available to help users check the authenticity of their binaries: Verify binaries on Windows (beginner) and Verify binaries on Linux, Mac, or Windows command line (advanced). Signed hashes can be found here: https://getmonero.org/downloads/hashes.txt.
The situation is being investigated and updates will be provided soon.
The Monero community
Posted by: ErCiccione
November 19, 2019
Yesterday a GitHub issue about mismatching hashes coming from this website was opened. A quick investigation found that the binaries of the CLI wallet had been compromised and a malicious version was being served. The problem was immediately fixed, which means the compromised files were online for a very short amount of time. The binaries are now served from another, safe, source. See the reddit post by core team member binaryfate.
It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason.
We have two guides available to help users check the authenticity of their binaries: Verify binaries on Windows (beginner) and Verify binaries on Linux, Mac, or Windows command line (advanced). Signed hashes can be found here: https://getmonero.org/downloads/hashes.txt.
The situation is being investigated and updates will be provided soon.
The Monero community
Source : https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html
Jump to: