Greetings!
More than $5.2M were stolen this week across 5 incidents. Let’s looks at some of the more notable case studies.
We continue seeing the trend noted last week where the majority of losses are no longer caused by smart contract exploits. Loopring is one such example where a flaw in their 2FA recovery service was used to drain multiple wallets with losses exceeding $5M. The incident affected wallets that configured a single recovery wallet, namely Loopring’s official guardian account. A few lessons:
Wallet providers must provide secure configuration by default. We can’t assume users to do the right thing or fully understand risk.
Single points of failure like an official Guardian account create outsized risk and attract bad actors.
Web2 security controls like 2FA can and will fail.
See Vitalik’s recent post on Reddit How I think about choosing guardians for multisig and social recovery wallets for more tips on secure implementation.
Mandiant published a threat report on UNC5537 responsible for mass compromise of Snowflake targets. While it’s not directly crypto related, the incident contains a lot of critical lessons which you may find useful when securing web2 infrastructure and 3rd party dependencies:
The incident was caused by compromised credentials without 2FA enabled.
Credentials were stolen with using a variety of infostealer malware families indicating multiple campaigns.
Compromised credentials were not rotated or updated in years.
No access restrictions from where one could access sensitive data.
Initial infostealer infection occurred on contractor machines used for multiple clients, gaming, and other personal use.
With the above in mind, at the very least buy your employees and contractors a $25 YubiKey. You may also consider a dedicated laptop to access the most critical systems holding billions from a restricted environment. You will not go bankrupt from buying a laptop to prevent losing private keys when a contractor decides to pirate games on their shared dev box. Remember we are in the industry where millions are stolen weekly, so your security controls should reflect that.
The premium version of the newsletter includes additional research papers, PoCs, indicators, and other data on the aforementioned compromises as well as two STM incidents, YYS and br1an.eth hacks.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Oh and be sure to check out the media section for an excellent selection of web3 security and privacy related talks. Let’s dive into the news!