The ByBit crypto exchange suffered a massive theft of 400,000 ETH attributed to North Koreaβs TraderTraitor group. Leveraging supply chain attacks and malicious Python scripts, the attackers compromised the Safe{Wallet} platform, using session tokens to access AWS and execute fraudulent transactions. (Affected: ByBit, Safe{Wallet}, crypto sector)
Keypoints :
- TraderTraitor exploited a trusted vendor relationship with Safe{Wallet}.
- Attack involved social engineering and PyYAML deserialization.
- Compromised AWS session tokens were used for lateral movement.
- Malicious JavaScript code was injected into a static site to modify transaction details.
- The incident highlights vulnerabilities in the crypto supply chain and emphasizes the need for improved security measures.
- Detection and emulation of the attack were conducted using Elastic products.
MITRE Techniques :
- Initial Access (TA0001): Exploiting a trusted relationship with Safe{Wallet} to gain access.
- Abuse Elevation Control (T1548): Attempting to register an MFA device using compromised session tokens.
- Remote Command Execution (T1203): Utilizing PyYAML deserialization payload to execute malicious code.
- Data Manipulation (T1565): Injecting malicious JavaScript into the frontend application to alter transaction destinations.
- Session Token Theft (T1550): Using session tokens for unauthorized access to AWS.
Indicator of Compromise :
- The article mentions AWS session tokens used for unauthorized access, indicating compromised credentials.
- Malicious Python scripts and their associated hashes are noted for identifying injected payloads.
- Reference to specific JavaScript file modifications provides clues for frontend tampering detection.
- Domain registrations (e.g., getstockprice[.]com) used for C2 communication serve as indicators of potential phishing or remote access points.
Full Story: https://www.elastic.co/security-labs/bit-bybit
Views: 24