Quarterly Security Notification and Cryptocurrency Hacks
This week Jordan is your editor for F5 SIRT's This Week In Security (TWIS) covering Jan 30 - Feb 3 2023. I'll be covering the topics of our February Quarterly Security Notification and Cryptocurrency related news.
We in F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT
Each QSN the F5 SIRT team does a lives stream for customers to get a high level briefing on the issues, along with *most* answers to questions asked during the stream. I'm posting this article a week after the QSN but you can still watch the pre-recorded video on Youtube.
Author Note: I wanted to be clear that none of the cryptocurrency hacks below are related to the F5 Quarterly Security Notification, the news stories below just happen to fall on the same week.
2022 Cryptocurrency Hacks
In a report published by Chainalysis last week, the occurrence of cryptocurrency hacks continue to grow, marking 2022 as a historical year. According to the research, there was "$3.8 billion stolen from cryptocurrency businesses". While there are various factors to consider, I think two primary issue enabling this are:
The technology is complex and changes fairly rapidly, making defense difficult. New entrants to the crypto space might want the first mover advantage, which in some cases results in choosing to forego a security audit because it "slows things down". While this might provide an immediate advantage, it will often come back to haunt you later. Security works best when it's implemented from the beginning, not bolted on later and we have plenty of incidents that could have been avoided with more investment put into security early in the Software Development Lifecycle.
Attackers recognize an easier path to the money. When I look at another common security problem we call ransomware, an attacker will need to first compromise a victim organization, obtain some valuable data, hold the data for ransom, and then extort the victim for payment. It's a popular choice for bad actors, but it involves many steps that may not payout in the end. Going after cryptocurrency exchanges, exploiting DeFi protocols, or phishing people with large wallets just bypasses obtaining data and extorting. In other words, it's a quicker path to stealing money.
I think this trend will unfortunately continue and if history is any guide, we can expect to see year over year growth in the amount of cryptocurrency stolen in 2023. In the next article, we'll take a look at a specific attack on DeFi protocols, which was the most common attack type seen for the past two years in a row.
BonkDAO Price Oracle Manipulation
In Decentralized Finance (DeFi), price oracles are used to determine the price of assets for purposes such as collateralization or margin trading. The data for the price oracle is typically sourced from trusted exchanges or other data providers and can sometimes be manipulated by a bad actor. This attack type is called a "price oracle manipulation", which becomes possible when a bad actor is able to control or alter the data fed into the source(s) used by the price oracle. By manipulating the perceived value of an asset, a bad actor can either benefit through their own actions (buy or sell) or cause other non-malicious actors to make incorrect decisions and actions which benefit the bad actor.
This is the type of attack used to exploit BonkDAO last week, where attackers were able to get away with a manipulation of a price oracle to steal cryptocurrency. It's still a bit unclear on the exact amount the attackers got away with, the value *seems to be* somewhere in the $2 million dollar range even though some reports claim the total was $120 million. Either way, since all transactions are public with this blockchain, the events of the attack were noticed by a community member and then live tweeted. Along with the live account of the attack on Twitter, a visual aid was created of the attack flow to assist forensic analysis of the attack. For a full writeup check out this article on Rekt for a great technical step by step.
Hope you got value from the content, thanks for reading.