Breaking Badness
Breaking Badness Cybersecurity Podcast - 190. The Weak Security Default in Our Stars
Coming up this week on Breaking Badness: DeFi Logic, Leap JFrog, and Gold, Guidance, and Grievances.
Here are a few highlights from each article we discussed:
DeFi Logic
- At least two DeFi protocols reported compromised domains in an apparent hacking campaign targeting crypto websites
- What are “DeFi protocols” for anyone who may be unfamiliar?
- DeFi = Decentralized Finance
- Basically, all things cryptocurrency
- It’s been a while since we’ve covered this on the podcast, so here’s a refresher on what makes up a DNS attack?
- “DNS Attack” as used in the article we’re linking is really not a sufficient descriptor, so we are left to speculate a bit
- There are different flavors of DNS attacks. Broadly speaking, the ones that affect the availability or integrity of a site fall into the categories of Denial of Service or domain hijacking
- This compromise appears to be the latter
- If a malicious actor is able to obtain the DNS creds for a site, they can then alter the records to point to whatever infrastructure they wish. At that point, the malicious actor is really in control, at least unless or until the legit owner can wrest back control
- Compound Labs shared a tweet on July 11 stating compound[.]finance had been compromised and they advised no one to visit the website or click any links – why is it troublesome to even go to the website when it’s compromised?
- It varies
- Remember, it’s entirely bad-actor-controlled at that point. So this could be anything from harvesting of login credentials, to silent drive-by malware download, to conceivably hijacking sessions in progress (though we think that one would be harder to pull off)
- So users at this point have to rely on other communication channels to see what’s going on, particularly social media (because email, assuming said email uses the domain that was compromised, could be a phony email)
- At the time of recording, no funds have been stolen, but that doesn’t mean users are in the clear
- Until the operators say that they have control of their domains, there could be a risk of funds being stolen
- Of course, this isn’t the only way cryptocurrency can be stolen, but it’s still not a good day for these outfits or for their customers
- At press time, Compound Labs and another DeFi protocol – Celer Network – hadn’t disclosed that the threat had been mitigated. What would mitigation in this instance look like?
- Declaring that they positively have control of the domains, and doing so in a way that is verifiable by users
- Addendum
- After we recorded our episode, we saw KrebsOnSecurity shared findings related to this story, including the attack mechanism
- Malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain
- Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves
- After we recorded our episode, we saw KrebsOnSecurity shared findings related to this story, including the attack mechanism
Leap JFrog
- The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub
- But who is JFrog and why are they continuously scanning public repositories?
- They are a DevOps vendor, existing in GitHub-land
- They have built scanning tooling for scanning packages that are placed into various repositories – in this case, they were looking for packages unrelated to PyPI, but their scanning tool caught this in a compile file
- JFrog reports lots of findings that are relevant to maintainers, so why is this one exceptional?
- This one is special given the potential consequences – a bad actor could inject malicious code into PyPI packages and even to the Python language itself (almost every Python installer on the planet was left in that binary)
- The JFrog came around and identified the issue to the PyPI folks
- The implications would have been severe – various forms of supply chain attacks were possible
- It took the team about 17 minutes from finding it to pulling it
- People moved extremely quickly here
- Why was the token found only in the binary?
- The token was compiled in a .pyc file and found in a Docker container
- But “the same function in the matching source code file didn’t contain the token…The decompiled code from the .pyc cache file was similar to the original, but included an authorization header with a valid GitHub token”
- The token was compiled in a .pyc file and found in a Docker container
- What can we learn about secret detection?
- It’s one of those “everything had to go wrong here for things to happen”
- In this case, someone’s secrets were found on a separate project
- Events had to line up in order for this to happen
- And when it was detected, the remediation time was fantastic
- Now, it would be great if these tokens were not permanent to begin with, but we think GitHub is working on that
This Week’s Hoodie/Goodie Scale
DeFi Logic
[Tim]: 3.5/10 Hoodies
[Taylor]: 1.34/10 Hoodies
Leap JFrog
[Tim]: 6/10 Goodies
[Taylor]: 7/10 Ants on a Log
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
