Author: Haotian

In the last AMA, the advanced penetration attacks around whether the potential APT is an APT and @benbybit The boss made simple communication and did not clearly determine whether it was targeting internal infiltration attacks. But if the investigation results are, according to the latest report from Slow Fog, how is the precise APT penetration attack of North Korean hacker group Lazarus Group for exchanges implemented? Below, simple science and popular logic:

Social engineering attack:

1) Hackers first Disguised as project parties, investors, third-party partners, etc. to contact the company's developers; (This kind of social work method is very common)

2) to debug the code Or recommend development and testing tools, market analysis programs, etc. to induce employees to run malicious programs; (There is a possibility of being cheated or reversed)

3) After completing the malicious program intrusion, you can obtain remote code execution permissions, and further induce employees to obtain permissions and penetrate horizontally;

Intranet penetration process:

1) Use the intranet nodes with a single point breakthrough to scan the intranet system to steal the SSH keys of the key servers. And use the whitelist trust relationship to move horizontally, obtain more control permissions and expand malicious program coverage;

(The suspicious point is that if the exchange has a strict protection system , Why can't an abnormality be warned during the entire penetration process? The conclusion of Slow Fog is to use the internal infrastructure of the enterprise to bypass most security equipment inspections. It seems that the intranet system still needs to strengthen drills such as red and blue against anti-penetration? )

2) Through continuous intranet penetration, we finally obtain the target wallet-related server, and change the back-end smart contract program and multiple signatures UI front-end, realize the replacement of pillars;

(The front-end and back-end have been tampered with, the doubt is how to bypass the entire log data? In addition, how to accurately figure it out Recently, there are many doubts about collecting wallets to implement large-scale transfers. This part can easily make people suspect that there is a "insider" cooperation? )

Lazarus APT Advanced Continuous Penetration Attack Principle, popular version:

Imagine the exchange's cryptocurrency cold wallet as a special vault located on the top floor of a high-end office building.

Under normal circumstances, this vault has strict security measures: there is a display screen to display each transfer information, and multiple positions are required for each operation. When executives are present at the same time, they need to confirm the information on the display together (such as "transferring XXX amount of ETH to XXX address"). The transfer can only be completed after all executives confirm that it is correct.

However, through carefully planned infiltration attacks, the hackers first used social workers to obtain the building's "access card" (that is, invading the initial computer), and successfully intervened. After the building, I managed to copy the "office key" of a core developer (with important permissions). With this "key", hackers can sneak into more "offices" (permeate horizontal penetration within the system to gain control of more servers).

Finally, I touched the core system that controlled the vault. The hacker not only changed the display program (tampered with the multi-sign UI interface), but also modified the transfer program inside the vault (changed with the smart contract). In this way, when executives see the information on the display, they actually see it. It is false information that has been tampered with, and the real funds are transferred to a hacker-controlled address.

Note: The above is just the usual APT infiltration attack method of the lazarus hacker organization. The @Bybit_Official incident has not yet been finalized and confirmed, so it is for reference only. Don't take the seat correctly!

However, in the end, I would like to give the boss of @benbybit. Safe is a more suitable asset management method that is more suitable for DAO organizations, only by normal calls and execution, regardless of the calls. Legality verification, there are many better local internal control system management solutions such as FireBlocks and RigSec on the market, which will have better supporting performance in asset security, authority control, operational auditing, etc.