It has been two weeks since the balance sheet was hacked up to $ 1.4 billion per traderraitor in North Korea. Five days later, it was confirmed that the hackers compromised a safe portfolio developer, allowing them to modify the source code of the portfolio user interface. Now Safe has published his preliminary investigationConfirm that the smart portfolio contract has never been compromised, but the user interface was.
SAFE Mandiant hiring, the security company acquired three years ago by Google Cloud for $ 5.4 billion. The organization of the portfolio has also described a number of measures it takes to consolidate security, with the help of mandiant.
As previously indicated, the hackers injected code into the user interface, which only touched bybt. While other users would have accessed their portfolios with the same compromise code, it will not target them.
Safe reiterated the need for people with the power to sign transactions to fully understand what they sign, as the GK8 guard technology company underlines in a recent webinar. In the transaction at the root of hacking, an obscure parameter was made from zero to one, with disastrous consequences.
Step 1: Pirate the developer machine
The report is slightly vague on the initial hacking of the developer’s machine, in part because malicious software has been deleted. However, Mandiant believes that he was involving a specific Docker project (an executable software container) linked to the actions that the developer may have downloaded following social engineering. (Could the developer not confirm this?)
Mandiant quotes another recent hack by the same group where they attracted a developer to provide technical assistance. To do this, they shared a Docker container which was downloaded by the engineer, the software allowing the Pirate to have continuous access to the workstation.
Step 2: Access the AWS code repository
The pirate compromised the pirate machine on February 4 and first accessed the Amazon Web Services code benchmark (AWS) on February 5. However, they wanted to have sufficient access to the repository to be able to handle it without being noticed. AWS generally recommends several authentication methods, pirates have therefore tried to add their own multi-factory authentication device (MFA), but failed.
They spent the next 12 days to monitor the AWS environment and plan the next steps. To access a web server, in particular by engaging code in a repository, AWS provides temporary session tokens that expire after 12 hours by default. The pirates diverted these tokens to insert their own code. They used a virtual private network to do so.
Step 3: Inject the malicious code
The malicious code was injected into the AWS repository for the user interface on February 17. People therefore used the hacked code for four days. However, the code only aimed for the Bybit portfolio, so it would have had an impact on anyone.
Step 4: Wait to hack. Remove the malware post
We have already published an article on the specific transaction which was hacked on February 21, which was not part of yesterday’s security report. The hacked code changed a parameter called “operation” from zero to one, allowing pirates to do what they wanted with the funds.
According to Mandiant, shortly after hacking, the hacker removed the malware. The Unix machines retain a newspaper of each order carried out, which would have helped to monitor the activities of the pirate, but this newspaper was also wiped. Therefore, we assume that mainly used network newspapers and AWS activity newspapers. By covering his tracks, the pirates probably hope to reuse some of the same methodologies in future violations.
