On February 21st, a significant cryptocurrency theft occurred involving Bybit, where hackers from the Lazarus Group infiltrated a supplier’s system to redirect 401,000 Ethereum coins worth approximately .5 billion. The attack exemplifies a supply chain vulnerability that permitted hackers to exploit AWS services while leaving the Bybit system itself secure. Affected: Bybit, Safe{WALLET}, cryptocurrency sector
Keypoints :
- The Lazarus Group conducted the largest cryptocurrency theft in history, redirecting funds meant for Bybit.
- The attack was facilitated through a supply chain compromise of the Safe{WALLET} AWS environment.
- The hackers gained initial access via malware installed on a developer’s machine.
- Once inside, the attackers exploited AWS credentials and developer sessions for lateral movement.
- The lack of logging for certain AWS S3 activities aided the hackers in avoiding detection.
- The incident highlights vulnerabilities in cloud security and the importance of robust protective measures.
MITRE Techniques :
- TA0001 – Initial Access: Gained foothold via a compromised developer’s machine using malware.
- TA0002 – Execution: Used malware to execute commands on the developer’s machine.
- TA0003 – Persistence: Installed backdoors on internal services.
- TA0004 – Privilege Escalation: Exploited excessive IAM permissions on AWS for further access.
- TA0005 – Lateral Movement: Navigated through AWS by exploiting open developer sessions and looking for stored AWS credentials.
- TA0006 – Collection: Modified objects within the S3 bucket to exfiltrate sensitive data.