Blog

Three Key Lessons from the Binance Hack

Posted by Paulo Shakarian on May 21, 2019 11:54:12 AM

 

AdobeStock_207793660

Earlier this month, Binance, one of the largest cryptocurrency exchanges, suffered an attack where hackers stole $40M worth of Bitcoin.  While Blockchain provides strong fundamentals leading to secure cryptocurrency transactions, we must remember that it exists in a larger information technology (IT) context.  In any IT setup, there are exploits available to attackers even in the presence of highly secure core algorithms like those used in Blockchain.  The hackers tend to focus on exploiting human weakness, system weakness, and implementation weakness.

In their public announcements, Binance was scant on details, but we do know the attack had components in each of these three areas.  It leveraged phishing - human weakness, it involved stealing from a hot wallet - system weakness, and the hackers overcame two-factor authentication (2FA) – implementation weakness.  Let’s consider each in-turn.

Human Weakness.  Binance reported that phishing was directly involved in the theft.  Attackers continue to evolve new and increasingly cunning methods of phishing, making it difficult to avoid even for the most prudent computer users.  While there are many good anti-phishing solutions, they are also widely known.  As a result, hackers routinely test their techniques to circumvent these systems.  We conducted a peer-reviewed scientific study, published at IEEE Intelligence and Security Informatics last fall where we examined pre-cursors in hacker discussions prior to attacks against cryptocurrency infrastructure.  Repeatedly, conversations detailing emails and mobile devices – the vectors used for phishing - proved to be indicative of attacks with high probability.  By understanding what the hackers are preparing prior to attack enables situational awareness to avoid the latest phishing attempts.

System Weakness.  Phishing is only the starting point for hackers stealing information from a system – as phishing only entails the ability to trick the user into opening the door.  The hacker then needs to capitalize on that mistake – using exploits and malware to gain and expand access to the system.  This is likely what Binance referred to when stating there was the involvement of a “virus.”  The use of exploits allows the attacker to leverage a flaw in the system to gain access.  A user clicking on a link in an email – no matter how malicious – does not necessarily provide the attacker the ability to take further action.  For example, we previously discussed a major flaw in Microsoft Office that led to wide-spread system access by hackers.  Once in, hackers can then use a variety of techniques to compromise a wallet (which was another stated weak-point by Binance).  While many may think that “you can just patch your system” that task is rarely as easy as it sounds – there were over 16,000 vulnerabilities disclosed by software vendors in 2018 and organizations are not keeping up.  Routinely, companies get attacked by very old software vulnerabilities – with over 90% of firms reporting a breach by a software vulnerability at least three years old.  As with phishing, maintaining a lead on the specific vulnerabilities hackers are attempting to exploit and ensuring those are prioritized for patching will help avoid attacks before they start.

Implementation Weakness.  Binance stated that the attackers were able to overcome two-factor authentication (2FA) – which is regarded as the gold-standard in the industry for access control.  While the exchange did not provide details on how the hackers were able to overcome 2FA, there are many possibilities depending on how it was implemented.  And this leads to our third point.  The implementation of a software solution can also introduce vulnerabilities – no matter how secure the base solution.  This is akin to installing a high-tech combination lock on a door only to not have it properly latch.  The discovery of these problems is really a result of solid vulnerability scanning and/or penetration testing.  It is for this reason, that the recently updated guidance released by the ADGM for cryptocurrency regulation specifies that firms involved in cryptocurrency trading should have their systems “tested for technical, operational and security vulnerabilities including but not limited to functional, penetration and stress testing.”[i]

Securing the currency of the future.  While cryptocurrency holds a great deal of promise and provides much security in a theoretical sense, the people, systems, and implementation must also be secure to avoid future incidents like this month’s theft at Binance.  Understanding the hacker threat and closely examining systems based on that knowledge is key to avoiding such threats.

About CYR3CON.  CYR3CON provides cyber threat intelligence through advanced machine learning and data mining of malicious hacker communities. CYR3CON’s flagship product, CYR3CON Priority, ranks all vulnerabilities based on threat. Hacker discussions are analyzed with predictive machine learning algorithms that considers conversation content, hacker social structure, reputation, language, etc. in order to help organizations best mitigate risk by prioritizing patching against real-world threats.

[i] See item 51 in http://adgm.complinet.com/net_file_store/new_rulebooks/g/u/Guidance_Regulation_of_Crypto_Asset_Activities_in_ADGM_140519.pdf

 

Topics: Cybersecurity, Hacking, Cryptocurrency, Bitcoin