Uncovering the Bybit Hack: A Detailed Analysis
Safe recently released a preliminary report on Mar. 6 shedding light on the Bybit hack, attributing it to a compromised developer laptop. The breach resulted in the injection of malware, paving the way for the hack to take place.
Exploiting Multi-Factor Authentication (MFA)
- The hackers managed to bypass MFA by exploiting active Amazon Web Services (AWS) tokens, granting them unauthorized access to the system.
- This unauthorized access allowed the hackers to manipulate Bybit’s Safe multi-signature wallet interface, redirecting roughly $1.5 billion worth of Ethereum (ETH) to a different address.
Compromise of Developer Workstation
The breach originated from a compromised macOS workstation belonging to a Safe developer, identified as “Developer1” in the report.
Social Engineering Tactics
- A contaminated Docker project communicated with a malicious domain named “getstockprice[.]com” on Feb. 4, suggesting the use of social engineering tactics.
- Developer1 unknowingly added files from the compromised Docker project, leading to the compromise of their laptop.
Identifying the Attackers
- The attackers accessed Developer1’s AWS account using a User-Agent string associated with Kali Linux, a toolset commonly used by offensive security practitioners.
- They utilized ExpressVPN to mask their origins during the attack, resembling previous incidents involving UNC4899, a threat actor associated with criminal activities.
Exploitation of AWS Security Controls
Safe’s AWS configuration required MFA re-authentication for Security Token Service (STS) sessions every 12 hours, but the attackers managed to bypass this restriction.
Hijacking AWS User Session Tokens
- The attackers planted malware on Developer1’s workstation to hijack active AWS user session tokens, allowing unauthorized access even when AWS sessions were active.
- Three additional UNC4899-linked domains were identified in the attack, indicating broader infrastructure exploitation.
Post-Breach Security Measures
Safe has taken significant steps to enhance security following the breach, restructuring infrastructure and implementing robust security measures.
Enhanced Security Protocols
- Restricted privileged infrastructure access to a few developers
- Enforced separation between development source code and infrastructure management
- Required multiple peer reviews before production changes
Furthermore, Safe has committed to maintaining monitoring systems, conducting independent security audits, and utilizing third-party services to detect and prevent malicious transactions.
