In the last AMA, there was a brief discussion regarding whether it was a potential APT advanced persistent threat and @benbybit's boss, but there was no clear conclusion on whether it was an internal penetration attack. However, if the investigation results indicate so, according to the latest report from SlowMist, how did the North Korean hacker organization Lazarus Group achieve precise APT penetration attacks targeting exchanges? Below is a brief explanation of the logic:
Social Engineering Attacks:
1) Hackers first disguise themselves as project parties, investors, third-party partners, etc., to contact the company's developers; (this type of social engineering tactic is very common)
2) Under the pretext of debugging code or recommending development testing tools, market analysis programs, etc., they induce employees to run malicious programs; (there is a possibility of being deceived or being coerced)
3) Once the malicious program is infiltrated, they can obtain remote code execution permissions and further induce employees to gain privilege escalation and lateral penetration;
Internal Network Penetration Process:
1) Utilize a single point of breach in the internal network node to scan the internal network systems, steal SSH keys from key servers, and use whitelist trust relationships to move laterally, gaining more control permissions and expanding the coverage of the malicious program;
2) Through continuous internal network penetration, ultimately gain access to the target wallet-associated server, and modify the backend smart contract program and multi-signature UI frontend, achieving a switcheroo;
Lazarus APT Advanced Persistent Penetration Attack Principles, Simplified Version:
Imagine the exchange's cryptocurrency cold wallet as a special vault located on the top floor of a high-end office building.
Under normal circumstances, this vault has strict security measures: there is a display screen to show each transaction's information, and each operation requires multiple executives to be present simultaneously to confirm the information displayed on the screen (for example, "Transferring XXX amount of ETH to XX address"), and only after all executives confirm it is correct can the transfer be completed.
However, hackers, through a carefully planned penetration attack, first used social engineering tactics to obtain the building's "access card" (which means they compromised the initial computer). After successfully blending into the building, they managed to copy a core developer's "office key" (gaining important permissions). With this "key," hackers can quietly infiltrate more "offices" (perform lateral penetration within the system to gain control of more servers).
Ultimately, they reached the core system controlling the vault. The hackers not only modified the display program (tampered with the multi-signature UI interface) but also altered the internal transfer program of the vault (changed the smart contract), so when the executives saw the information on the display screen, they were actually looking at tampered false information, while the real funds were transferred to an address controlled by the hackers.
Note: The above is just a common APT penetration attack method used by the Lazarus hacker organization. The @Bybit_Official incident currently does not have a final conclusive analysis report, so it is for reference only, and please do not take it personally!
However, I would still like to give @benbybit's boss a suggestion: asset management methods like Safe, which are more suitable for DAO organizations, only handle normal execution calls without verifying the legality of the calls. There are many better local internal control system management solutions on the market, such as FireBlocks and RigSec, which will perform better in terms of asset security, permission control, and operational auditing.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
