Contributed by Bryan York, Director of Services at Crowdstrike.*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.
Cryptocurrencies are in high demand. The increase in purchasing power and liquidity is driving not only huge valuations, but also extremely high volatility. Combine this wild success with North Korea's desire to import hard currency and it shouldn't come as a surprise that North Korea is rumoured to be behind the recent cryptocurrency theft. Cybercriminals stole £475 million worth of NEM coins from the Japanese cryptocurrency exchange, Coincheck, in one of the world's largest cyber-heists.
It's not just individuals with advanced skillsets that are looking to gain from hacking cryptocurrency exchange. Well-funded state actors armed with cutting edge equipment are looking to cash in on the rise of cryptocurrencies, to further an international agenda.
Coincheck hack: Taking advantage of lack of expertise and knowledge
Cyber-criminals were able to take advantage of slack security protocols, brought about by a general lack of expertise among staff-members.
This is evidenced by the fact that coins were stored in a ‘hot wallet' as opposed to a ‘cold wallet.' Hot wallets are connected to the internet, making them more vulnerable to intrusion. It's akin to walking around carrying thousands of pounds on your person, a risk no sensible person would take. Staff well versed in cryptocurrencies would know it's considered dangerous to store large amounts this way.
The lack of multi-signature wallets also made Coincheck an easy target – not requiring advanced methods to access the funds. Akin to a safety deposit box, a multi-signature wallet requires more than one key to issue a transaction, eliminating the risk of a single point of failure.
More advanced threats are out there targeting individuals and companies
Cryptocurrency exchanges are not the only ones within the cryptocurrency ecosystem being hacked. Cyber-criminals have honed in on a highly profitable opportunity, using a distributed computing process for production of cryptocurrency — a process known as “mining.”
While mining itself is legal, fraudulently compromising systems to do it is not. Cryptocurrency mining malware tools commandeer available CPU cycles without authorisation, in order to mine for cryptocurrency. Any indivdual or company is at risk for this type of attack, even if they have never participated in the cryptocurrency markets.
Moving forward, we are now seeing more sophisticated capabilities being built into a crypto-mining worm called WannaMine. It's a cryptocurrency miner that hijacks a system's CPU cycles to mine Monero (a private, untraceable cryptocurrency). This fileless malware leverages advanced tactics and techniques to maintain persistence within a network and move laterally from system to system. WannaMine uses credentials acquired with the credential harvester Mimikatz to attempt to propagate using the legitimate credentials as well as the EternalBlue vulnerability popularised by the WannaCry and NotPetya attacks and credited as, at one time, part of a sophisticated nation state sponsored cyber-weapon.
The end result - WannaMine has been observed to render nearly 100 percent of user environments unusable due to over-utilisation of a systems' CPUs, rendering companies inoperable for days and weeks at a time.
Could these attacks happen in the here/in the UK?
First, let's clarify the two types of attacks discussed above are very different in who they target and how they are executed. Fraudulent cryptomining attacks like WannaMine can hit anyone, anywhere. Financially motivated cyber-criminals are typically indiscriminate in who they target with cryptomining attacks so long as they can use those systems to make money.
Conversely, the Coincheck hack targeted a cryptocurrency exchange. In 2014, a cryptocurrency exchange called MT Gox was hit by a huge attack stealing significantly over 850,000 Bitcoin (valued around £340 million in 2014, with a current valuation of approximately £6 billion). With the massive increase in initial coin offerings and new exchanges popping up on a daily basis, cryptocurrency exchanges in the UK are certainly at heightened risk.
Lessons will be learnt from the recent hack on Coincheck. A recent exchange of letters between Japan and the UK demonstrates the desire of both countries to continue to support innovative currencies, encouraging ‘regulators to share information about financial services innovation in their respective markets, reduce barriers to entry in a new jurisdiction and further encourage innovation in both countries.'
Both want to spur innovation and reap the rewards of becoming early adopters, despite the risks associated with cryptocurrencies. Japan also views cryptocurrency as a much-needed financial innovation injection to its ailing economy.
As a result of this exchange, there will be increased intelligence sharing between the UK and Japan – hopefully serving to better protect the UK and others from the same kind of hack that Japan experienced. But this is effectively protecting the UK from negligence, not the kinds of aforementioned technical threats that more advanced bad actors are capable of.
It's a common theme: Innovation outpacing expertise, in this case leading to one of the largest cyber-heists in history. Cryptocurrencies are here to stay, while the value is there, criminals will always look to extract value, given their very private implementations.
Without a very broad level of protection across more than just antivirus, and of course, a better understanding of cryptocurrency, more advanced hacks will take place from nation states and individual alike in order to steal and abuse resources for this hot new digital source of value.
Do not expect cryptocurrencies to leave the headlines this year…