A recap and takeaways of some stuff we talked about some days ago during the "Don't Get Rekt" episode 4 "THE OPSEC WAKEUP CALL" by RektHQ with @officer_secret: DPRK, Operational security, physical security and kidnappings, Bybit, hardware wallets, and more.
Current status of web3 security: 99% of stolen funds are not due to smart contract hacks anymore, but Operational security issues, this means Social engineering, malware, 0day exploits, sim-swaps, insider threat, account takeovers, phishing, domain and dns hijacks, etc.
DPRK (Democratic People's Republic of Korea) has many teams of professional and sophisticated attackers (like Lazarus group) that use many of these techniques in order to drain crypto from Web3.
They have many ways of doing this, one of them is getting hired by Web3 organizations, these hired operatives are called IT workers. They will usually be hired as developers or devops, get the necessary access and then steal as most money as they can from the organization.
When they get hired, they have two main goals:
- To steal as much money from the organization and it's users as they can
- To earn the salaries they are paid, to fund the regime. Many times one operative has 4 or 5 different jobs at the same time, earning between USD 250K and 600K per year.
From what we know, they have two type of agents:
- People who, with social engineering, do the first infection, putting the first foot in the organization infra.
- People who then move laterally inside the organizations after the initial compromise, doing privilege escalation, etc. One way to detect them if to follow the money: they usually consolidate their funds in the same addresses and then transfer them to chinese exchanges. They are not so sophisticate some times and can be spotted if you look closely.
The three biggest reasons why these agents are usually not detected?
- They are very good at what they do (coding)
- They work a lot
- They do not complain
In the past they would leverage from the fact that you could work as an anon for many web3 organizations in order to hide their true identity. Then after many companies were compromised, many started doing KyC and background some background checks, so DPRK started using stolen identities to pass these tests. But this evolved too....
Then they started hiring laptop farms in the US: that's basically someone who lives in the US and is sent a laptop (or many of them) from abroad and they have to connect these laptops from their home internet connections. This way, it workers (DPRK) can operate these laptops remotely (with Teamviewer and similar tools) and as the laptop has US IP, they simulate to be living there.
But then organizations tightened a bit more security measures and started requesting cameras on in every call. So DPRK leveled up started hiring US citizens who do not only sell their identity, but also connect to calls with camera on (interviews, dailys, weeklys, etc) with a script they follow. These US citizens usually do NOT know they are working for DPRK, they think they are helping some chinese, korean or singaporean to get a job in the US.
Most DPRK operatives fake identities and say they are from Canada, Singapore or some part of the US. But if you ask them some questions about their city, culture or similar stuff, you will see they have no idea about it.
Last but not least, once they are detected, either by someone from the organization or some researcher from @_SEAL_Org for example, it's not an easy task to report them back to their team and to remove them, that's a very complex task that needs lots of coordination to be successfully achieved, as they will steal all they can if they know they have been detected.
You can read a lot more about DPRK investigations and their techniques by following both @zachxbt and @tayvano_ . They are the masterminds in this subject.
Bybit hack last march: $1.4bn stolen. How did it happen?
Safe developer was social engineered with a fake job interview > Dev was infected > AWS session token stolen > Code pushed into Safe production frontend (this code targetted only Bybit wallet). Bybit signers trusted what they saw in their Safe UI and did not verify transaction hashes to understand what they were doing, they did blind signing > $1.4bn gone.
What can we learn from the Bybit hack?
- Teams should have training to detect social engineering and know how to react
- Companies should embrace EDRs or at least antivirus, to protect in case social engineering attacks are successful and people download something infected.
- EDRs (endpoint detection and response) are better than antivirus as instead of detecting malware through signatures, they do it based on behaviour.
- No one person in an organization should have enough permissions to push code to production.
- Organizations managing Multisigs, big treasuries or upgradable contracts should train their teams in order to understand how to verify and simulate complex transactions. If you do not fully understand hashes, you do NOT sign.
- Tools like safe-tx-hashes (github.com/pcaversaccio/s…) from @pcaversaccio are great for this.
- Organizations should have clear procedures and policiers on how to manage multisigs and treasuries.
- Hardware wallet diversity, frontend diversity, OS diversirty and transaction simulation tools diversity matter, a lot.
- Multisigs should embrace time-locks, this feature would have stopped lots of attacks in the last year.
Having a plan is great, but testing those plans is also very important. War games and incident response live drills are great. Isaac Patka from Shield3 is one of the best out there in this matter. Not sure where to start regarding transactions verification? Start with Patrick Collins videos and the tool he developed:
One of the MOST IMPORTANT THINGS TO LEARN from these kind of incidents is that if you are ever compromised or think you might have been compromised, even if it happened during a series of job interviews, you HAVE TO REPORT IT. Threat actors leverage from the fact that you will feel guilty and stupid if you tell your boss about being hacked during an interview to work to another company. It's important for you to disclose it, as they may have stolen company data or compromised some servers or assets when they hacked you, and if you don't report it, the full organization may be compromised, and you will be an accomplice.
"If you think security is expensive, try with an incident"
"Your security budget should grow with your TVL"
"90% of web3 organizations do not have someone dedicated 100% to security, far less a CISO."
"The problem is many people see the security department as a generator of zero revenue"
You think you are smart enough to detect any kind of attack and do not download anything malicious? What if I tell you that in order to hack a sophisticate Founder, they first hacked his lawyer's email account, saw that the founder was waiting for an agreement draft from his lawyer next week, and that same day, from the lawyers real email, they sent him that agreement, but in an infected file? So you receive something you are expecting, from someone you trust. Would you suspect?
Final recommendations:
- Use Hardware wallets. Master them.
- Store seed phrases with manual Shamir and anti tampering bags
- Use Yubikeys with FIDO2, as TOTP apps are bot phishing resistant.
- Use EDRs / Antivirus
- Use a Firewall. Try Lulu from Objective-see and all the tools they have, developed by Patrick Wardle (Task explorer, Blockblock, Knockknock, Reikey, Netiquette, etc).
- Password managers are meant to store passwords. No seeds, no 2fa, no backup codes, no recovery codes, no private keys.
- Enable Lockdown mode in you Apple devices, especially on macOS
- Multisigs: use timelocks, learn to verify what you sign, train signers and test their knowledge.
Apply least privilege policy: this means everyone should have the minimum access granted. Not more.
– Anyone can be hacked
– Anyone can be threatened or coerced
– Anyone can become evil (yes)
For many people it's obvious that it's important to have a good physician, a good lawyer, a good accountant. But is it also obvious that given the attack surface keeps growing and threat actors become more sophisticate, eveyrone should have an OpSec consultant?
Wanna know more? You can follow us at @opsek_io, where we audit and train the Operational security posture of Web3 organizations and HNWI in order to survive the dark forest.
Check the complete episode here:
Stay safe. And remember:
Everything is a scam until proven otherwise. If you are not having some false positives every now and then, you are not being paranoid enough.
