Imagine the cryptocurrency cold wallet of an exchange as a special vault located on the top floor of a high-end office building.

Written by: Haotian

In the last AMA, there was a brief discussion regarding whether there was a potential APT advanced persistent threat targeting @benbybit, but no clear conclusion was reached about whether it was an internal penetration attack. However, if the investigation results indicate so, according to the latest report from SlowMist, how did the North Korean hacker organization Lazarus Group execute a sophisticated APT penetration attack against the exchange? Below is a brief explanation of the logic:

Social Engineering Attack:

1) The hacker first impersonates project parties, investors, third-party partners, etc., to contact the company's developers; (this type of social engineering tactic is quite common)

2) Under the pretext of debugging code or recommending development testing tools, market analysis programs, etc., they induce employees to run malicious programs; (there is a possibility of being deceived or being coerced)

3) Once the malicious program is infiltrated, they can gain remote code execution permissions and further induce employees to escalate permissions and conduct lateral penetration;

Intranet Penetration Process:

1) Utilize a single point of breach within the intranet to scan the internal system, steal SSH keys from key servers, and use whitelist trust relationships to move laterally, gaining more control permissions and expanding the coverage of the malicious program;

(One question is, if the exchange has a tight security system, why was there no alert for anomalies during the entire penetration process? SlowMist's conclusion is that they utilized the company's internal infrastructure to bypass most security device detection, indicating that the intranet system needs to strengthen red-blue team exercises to prevent penetration?)

2) Through continuous intranet penetration, they ultimately gain access to the target wallet's associated server, modify the backend smart contract program, and alter the multi-signature UI frontend to achieve a switcheroo;

(Both the frontend and backend were tampered with, raising questions about how they bypassed the entire log data? Additionally, how did the hackers accurately determine that a large transfer was about to be made to the wallet? There are many doubts, making it easy to suspect that there is an "insider" collaborating?)

Lazarus APT Advanced Persistent Penetration Attack Principle, Simplified Version:

Imagine the cryptocurrency cold wallet of an exchange as a special vault located on the top floor of a high-end office building.

Under normal circumstances, this vault has strict security measures: there is a display screen to show each transaction's information, and every operation requires multiple executives to be present simultaneously to confirm the information displayed on the screen (for example, "Transferring XXX amount of ETH to XX address"), and only after all executives confirm it is correct can the transfer be completed.

However, the hacker, through a meticulously planned penetration attack, first used social engineering tactics to obtain the building's "access card" (which means they compromised the initial computer). After successfully blending into the building, they managed to copy a core developer's "office key" (gaining important permissions). With this "key," the hacker could quietly infiltrate more "offices" (conduct lateral penetration within the system to gain control of more servers).

Ultimately, they reached the core system controlling the vault. The hacker not only altered the display program (tampered with the multi-signature UI interface) but also modified the internal transfer program of the vault (changed the smart contract), so when the executives saw the information on the display screen, they were actually viewing tampered false information, while the real funds were transferred to an address controlled by the hacker.

Note: The above is merely a common APT penetration attack method used by the Lazarus hacker organization. The @Bybit_Official incident currently does not have a final conclusive analysis report, so it should only be taken as a reference and not be directly associated!

However, I would still like to give a suggestion to @benbybit: Safe, which is more suitable for DAO organizations' asset management, only handles normal execution calls without verifying the legality of the calls. There are many better local internal control system management solutions on the market, such as FireBlocks and RigSec, which will perform better in terms of asset security, permission control, and operational auditing.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。