It has been reported that the FBI, CISA and U.S. Treasury Department have issued a joint cybersecurity advisory warning all businesses in cryptocurrency to watch out for attacks from North Korean state-sponsored hackers. The full advisory can be viewed here. Within the advisory there’s also warning of how Lazarus attacks start by targeting employees of these firms, most often those in developer or DevOps roles.
This campaign combines multiple popular trends into an attack. The alert from CISA describes a spear-phishing campaign that leverages the hot job market to entice users into downloading malicious cryptocurrency software. We’ve certainly seen attacks focused on cryptocurrency before, and malicious software isn’t new. It’s important that readers understand that this alert isn’t about a new technology, but increased attack activity. It’s easy to think that you’re not going to fall for a phishing email, but the data shows that malicious emails continue to be successful for attackers. Better to be overly cautious than compromised.
We’re seeing that new players are learning to deal with old problems. The architecture might look new, the business cases of this technology might be novel, the developers and designers certainly aren\’t your traditional financial veterans, but the threats are the same. For decades, owners of certificate-based PKI trust schemes have known that keeping one\’s secret key, well…secret, has been of the utmost importance. If an attacker compromises that key, the owner then loses all integrity and confidentiality in their trust scheme. Now, crypto wallet keys are even bigger targets because they can be used to steal millions of dollars’ worth of virtual assets in the amount of time a transaction takes to write to the blockchain. While crypto developers may have had key management experience, or crypto materials training, that is neither a given nor an enforceable requirement.
The shift to DevOps also means that traditional Separation of Duties required by financial regulations such as Sarbanes-Oxley has to be rethought and reworked. Due to regulatory requirements developers were separated from production data. If a developer system was compromised via a phishing campaign, any malware that is present only has access to the development data. In a modern DevOps environment, extra care has to be taken when implementing network, role, and access restrictions to enable developers and applications to operate while preventing an attacker from using a compromised server or dev workstation to gain access to crypto wallet keys and the assets those keys protect.
Solutions to security concerns should also be integrated into the development environment, software requirements, and production environment. It’s not enough to simply rely on network segments to protect the company from targeted phishing attacks. Instead, developer education should be a primary goal in setting up the first line of defense. Building clearly defined roles and access limits should be comprised of a layered middle defense, and comprehensive audit and logging controls should be the last line of defense in case of a breach.
The rough and tumble, unregulated space that crypto has created for itself leads to even more exposure. When credit card numbers were easy to steal via mag-stripe readers, payment processing companies and banks were required to take out insurance to cover fraudulent charges. These insurance requirements lead to more stringent application security controls that haven\’t reached crypto companies yet. Instead, when a company loses crypto assets due to a compromised wallet key, design flaw, business logic exploit, or software vulnerability, they have to deal with the fallout themselves either by reimbursing customers or passing on the loss to the detriment of their brand and confidence.
The good news is that while modern development pipelines don\’t automatically make software more secure, they are far more compatible with integrating secure design, automated defect discovery, and policy-as-code measures than the waterfall, manually built pipelines of yore. My prediction is that crypto companies will have to play catch-up fast, but will also react faster than other, more staid industries have in the past.