GuShiio.com Think of the exchange’s cryptocurrency cold wallet as a special vault located on the top floor of a high-end office building.
In the last AMA, there was a brief communication with the @benbybit boss about whether it was a potential APT advanced infiltration attack, but there was no clear conclusion whether it was an internal infiltration attack. But if the investigation results are, according to Slowfog’s latest report, how did the North Korean hacker organization Lazarus Group’s sophisticated APT penetration attack on the exchange achieve? The following is a simple science popularization logic:
Social engineering attack:
1) Hackers first disguise themselves as project parties, investors, third-party partners, etc. who contact the company’s developers;(This social worker method is very common)
2) Induce employees to run malicious programs on the grounds of debugging code or recommending development testing tools, market analysis programs, etc.;(There is a possibility of being deceived or turned against)
3) After completing the malicious program intrusion, you can obtain remote code execution rights, and further induce employees to obtain authority enhancement and horizontal penetration;
Intranet penetration process:
1) Use one-point breakthrough intranet nodes to scan the intranet system, steal SSH keys from key servers, and use the whitelist trust relationship to move horizontally to gain more control rights and expand the coverage of malicious programs;
2) Through continuous intranet penetration, we finally obtain the target wallet associated server, and change the back-end smart contract program and the multi-signature UI front end to achieve a steal;
Lazarus APT Advanced Persistent Penetration Attack Principles, Popular Version:
Think of the exchange’s cryptocurrency cold wallet as a special vault located on the top floor of a high-end office building.
Under normal circumstances, this vault has strict security measures: there is a display screen used to display the information of each transfer. Each operation requires multiple senior executives to be present at the same time, and the information on the display screen needs to be confirmed together (such as “Transferring XXX amount of ETH to XX address”). The transfer can only be completed after all senior executives confirm that it is correct.
However, through a carefully planned infiltration attack, the hacker first used social workers to obtain the building’s “access card”(that is, hacked into the original computer). After successfully blending into the building, he then managed to copy the “office key” of a core developer (Obtained important privileges). With this “key”, hackers can quietly sneak into more “offices”(penetrate horizontally within the system and gain control of more servers).
Finally, I found the core system that controls the vault. The hacker not only changed the display program (tampered with the multi-signature UI interface), but also modified the transfer program within the vault (changed the smart contract), so that when executives saw the information on the display, they actually saw the falsified information, while the real funds were transferred to addresses controlled by the hacker.
Note: The above are just the usual APT penetration attack methods of lazarus hackers. There is no final and conclusive analysis report on the @Bybit_Official incident, so it is only for reference, and don’t take the mark!
However, in the end, I still give a suggestion to the boss of @benbybit. Safe, which is more suitable for the DAO organization, only cares about normal call execution, regardless of the legitimacy verification of the call. There are many better local internal control system management solutions such as FireBlocks and RigSec on the market, which will have better supporting performance in terms of asset security, rights control, and operation auditing.
