Security Analysis: July’s Hacking Incidents

Security Analysis: July 2020 to Present 2020, hacking attacks in the field of cryptocurrencies and encryption

Hacker Ransomware Attack

Since July the main attack method for hackers regarding ransomware attacks are traditional ransomware attacks and attacks to remotely control the victim’s system through system vulnerabilities.

For this type of attack, the attacker does not need to have knowledge and technical expertise regarding the blockchain to complete the attack, especially the twitter attack (using social engineering methods). The twitter attackers were three teenagers, the oldest of which was only at the age of 22, this incident had a profound impact on society as it brought BTC scams to the forefront of traditional media coverage.

1.

On July 2, MongoDB was attacked. About 22,900 databases were emptied. The attacker requested BTC as a ransom to redeem the backed up files of the emptied database.

2.

On July 11, an abnormal transaction occurred on the Cashaa exchange. The attacker-controlled the victim’s computer, operated the victim’s Bitcoin wallet on Blockchain.info, and transferred approximately US$9,800 of BTC to the attacker’s account.

3.

On July 15th, Twitter suffered a social engineering attack. The employee management account was stolen. This caused multiple organizations and individuals to post fraudulent information on 

Twitter, enticing victims to transfer money to the attacker’s Bitcoin account.

4.

On July 22, York University information was stolen, and the attackers demanded approximately US$1.14 million in BTC as a ransom.

5.

On July 23, the English Football League information was stolen and the attackers demanded BTC as a ransom.

6.

On July 25, about 800gb of information from the Spanish Railway Infrastructure Administration was stolen, and the attacker demanded BTC as a ransom.

7.

On July 30th, Canon suffered a hacker attack. About 10tb of photos and other types of data were stolen. Users demanded digital currency as a ransom.

8.

On July 31, the digital currency exchange 2gether was hacked and about 1.39 million US dollars of BTC were stolen.

9.

On August 4, the DeFi project Opyn was exploited by an attacker through a code loophole and obtained a number of tokens equal to twice the deposited number, which ultimately caused a loss of approximately US$370,000.

Understanding Code Vulnerability Attack

For incidents related to code vulnerability attacks, the attacker must understand blockchain 51% attacks and be able to identify the conditions that can be exploited (such as renting huge computing power) to complete the attack, and would need to have a deep understanding of smart contract technology. The logic loopholes in it and use them.

Example of Code Vulnerability Attack

Incident No. 9

This incident occurred in the DeFi project Opyn. The cause of the attack was a vulnerability in the exercise function of Opyn in the smart contract oToken.

When the attacker sends a certain amount of ETH to the smart contract, the smart contract only checks whether the amount of ETH is consistent with the amount required to complete the futures transaction, and does not dynamically check the amount of ETH sent by the attacker. After a transaction, it does not check if it is equal to the quantity required to complete the futures transaction.

In other words, the attacker can use an ETH for mortgage and redeem two more transactions, and finally get twice the amount of ETH sent by himself.

Given the details surrounding the Opyn incident, it seems they did not perform a rigorous security audit and verification of the updated smart contract before directly deploying and running, similar to what happened with YAM this month which caused program code vulnerabilities in its smart contract. This is the main cause of the Opyn incident in our opinion. 

In Conclusion

We recommend that companies and projects,

Do a better job of screening the security vulnerabilities of their hardware and software that runs blockchain, and pay attention to cultivating employees’ awareness and defensive awareness of common methods of attack vectors in their daily work.

Improve the “dominance” of a party that may occupy more than half of the total computing power of the entire blockchain. For protection in specific blockchain projects, consider increasing the number of transaction confirmations or optimizing consensus algorithms.

Develop better verification and audit of the chain code and smart contract code in the blockchain project, invite multiple independent external security audit services to audit the code, and re-audit each time the code is updated.

We are not just looking for vulnerabilities, but to eliminate the possibility of even 0.00000001% of potential danger.