来源:国际安全智库
Source: International Security think tank
近期币圈市场回暖,主流币普涨,数字货币交易所被盗案件频频发生。3月24日凌晨,新加坡数字货币交易平台DragonEx遭受黑客入侵,导致用户和平台的数字资产被盗,初步估计平台受损资产总额超4000万人民币。
In the early hours of March 24, Singapore’s Digital Currency Exchange platform, DragonEx, was hacked, resulting in the theft of users and platform digital assets, with initial estimates of the platform’s damaged assets exceeding 40 million yuan.
同时,经过360安全大脑的深度追踪溯源,发现近期火爆的OKEX平台也遭到了同一国家级黑客组织的入侵。
At the same time, as a result of deep tracking of the 360 safe brain, it was found that the recently explosive OKEX platform had also been invaded by the same national hacker organization.
DragonEx是新加坡数字货币交易平台,上线即发行平台币龙币(DT),因其独特的挖矿和分红模式,迅速发展为世界排名前20交易平台。
DragonEx, the Singapore Digital Currency Trading Platform, has rapidly developed into the top 20 trading platforms in the world because of its unique mining and distribution patterns.
据悉,此次DragonEx交易所上BTC、ETH、EOS等总共20余种主流数字货币资产均被盗取,平台将暂停交易充提等所有基础服务。这是DragonEx交易所自成立以来,发生的第一起被盗事件,也是继BiKi、Cryptopia、Etbox等交易所后,又一起交易所被盗事件。
A total of more than 20 mainstream digital monetary assets, such as BTC, ETH, EOS, have been reported to have been stolen from the DragonEx Exchange, and the platform will suspend all basic services such as trading. This is the first theft since the DragonEx Exchange was established, as well as one subsequent to the Biki, Cryptopia, Etbox and others.
(DragonEx交易所发布官方公告)
(official announcement by DragonEx Exchange)
交易所频繁丢币 门头沟悬案记忆尤深
There's a lot of money on the exchange, and there's a lot of memory on the doorstep.
早在去年8月份,DragonEx的在线交易平台就被发现存在多个安全漏洞,攻击者可利用漏洞获取用户信息。但DragonEx随后予以否认,称平台各项机制都很全面,不存在任何安全漏洞问题。
As early as last August, DragonEx’s online trading platform was found to have multiple security gaps in which the attackers could access user information. DragonEx later denied that the platform’s mechanisms were comprehensive and there were no security gaps.
然而,除了DragonEx丢币之外,交易所被盗这些年来连连出现,其中大家记忆最为深刻的估计是币圈最大疑案Mt.GOX(门头沟),曾经币圈第一大交易所,85万比特币不翼而飞(以现在市值2万7换算,总值233亿人民币)。此次事件震撼了整个数字货币社区,并削弱了对比特币安全性的信心,一度导致BTC价格暴跌,一个月的跌幅高达36%。
However, with the exception of DragonEx’s money-disposal, the exchange’s theft has been repeated over the years. Among the most vivid estimates, Mt. GOX, the largest suspect in the currency ring, was the first currency exchange in the past, with 850,000 bits of currency flying (at a current market value of 27 million yuan, valued at 23.3 billion yuan). The event shook the entire digital monetary community and weakened confidence in the security of the currency, once causing BTC’s prices to fall sharply, by up to 36 per cent a month.
2014年2月14日,也就是情人节这天,天上正下着雪,一位中年男子在一座写字楼前举着牌抗议。他手上的牌子写着“门头沟,我们的钱去哪了(MT.Gox, where is our money)”。
On February 14, 2014, Valentine's Day, there was snow in the sky, and a middle-aged man was protesting with a sign in front of a writing building. The sign in his hand said, "Where is our money?"
分析DroganEx事件攻击过程, 全球著名数字交易所OKEX等均受牵连
Analysis of the DroganEx attack, the involvement of the global leading digital exchange, OKEX, etc.
此前,某安全实验室与DrangonEx取得联系,一起分析并确认DrangonEx交易所遭受了黑客组织攻击:https://mp.weixin.qq.com/s/TWy6flU0BZb8epilAawAZA
Prior to that, a safety laboratory contacted DrangonEx to analyse and confirm that the DrangonEx Exchange had been hit by hacker groups: https://mp.weixin.qq.com/s/TWy6flU0BZb8epilAawZA
经过360安全大脑进一步的追踪溯源,发现这是一起由国家级黑客组织APT-C-26(Lazarus音译”拉撒路”)针对OKEX等多家知名数字货币交易所发起的攻击行动。以下是来自360安全大脑对Lazarus攻击过程的详细分析:
As a result of further tracking of the 360 safe brain, it was discovered that it was an attack by a national hacker organization, APT-C-26 (Lazarus translator “Lazarus”) against a number of well-known digital money exchanges, such as OKEX. The following is a detailed analysis of the attack on Lazarus from the 360 safe brain:
攻击过程分析
Attack process analysis
该组织在2018年10月注册了wb-invest.net和wb-bot.org两个域名,开始筹备攻击。
The organization registered wb-invest.net and wb-bot.org domain names in October 2018 and began preparations for the attack.
根据开源的“Qt Bitcoin Trader”软件修改加入恶意代码,改造成名字为“Worldbit-bot”的自动交易软件。
Changed to add malignant code based on the open source Qt Bitcoin Trader to create automatic transaction software called Worldbit-bot.
然后使用之前注册的域名伪装成正规的数字货币自动交易软件的官方网站,进行了长达半年时间的运营。
The formerly registered domain name was then used as the official website of the formal digital currency automated transaction software, operating for up to six months.
最终的收网攻击,疑似发生于2019年1月和3月,该组织通过向大量的交易所官方人员推荐该软件进行钓鱼攻击,最终导致相关人员中招,实施了进一步的数字货币盗取。
The eventual netting attack, suspected to have taken place in January and March 2019, resulted in further digital currency theft by the organization by recommending the software to a large number of exchange officials.
恶意代码分析
malignant code analysis
“Worldbit-bot”软件和该组织去年实施的“Celas Trade Pro”攻击在主体功能上无太大差异,属于同一个攻击框架。
The “Worldbit-bot” software and the Celas Trade Pro attacks carried out by the organization last year did not differ significantly in subject function and fell within the same framework of attack.
1. 收集系统信息并加密传输
1. Collection and encryption of system information
2. 收集系统相关信息
Collection of system-related information
3.下载执行下一阶段载荷并解密存入文件执行
Download the next stage load and decrypt the file to execute
关联分析
Link analysis
“Worldbit-bot”与“CelasTrade Pro”代码结构基本一致,仅发生了参数和部分密钥的改变。
“Wordbit-bot” is essentially in line with the Celastrade Pro code structure and only changes in parameters and parts of keys have been made.
1. 启动参数发生改变
1. Changes in start-up parameters
“Worldbit-bot”版本 “Celas Trade Pro”版本
"Wordbit-bot" version "Celas Trade Pro" version
2.通信加密的异或密钥发生改变
2. Changes in communication encryption different or key
“Worldbit-bot”加密方式
"Wordbit-bot" encryption
“Celas Trade Pro” 加密方式
"Celas Trade Pro" encryption
3.请求模板字符串发生改变
3. Request a change in template string
“Worldbit-bot”版字符串
Worldbit-bot string
“Celas Trade Pro”版字符串
Celas Trade Pro string
4.C&C发生改变
Change in C&C
“Worldbit-bot”版C&C
"Wordbit-bot" version C&C
“Celas Trade Pro”版C&C
C&C version of Celas Trade Pro
5.下载数据时使用的RC4密钥改变
5. Changes in RC4 keys used to download data
“Worldbit-bot”版 “Celas Trade Pro”版
"Wordbit-bot" version "Celas Trade Pro" version
关于Lazarus组织:
For Lazarus:
APT-C-26(Lazarus 音译"拉撒路")是从2009年以来至今一直处于活跃的APT组织。这是继去年360发现Lazarus组织针对数字加密货币的“Celas Trade Pro”攻击后,360高级威胁应对团队持续跟踪发现该组织的又一起活跃攻击行动。值得注意的是,该组织攻击目标不断扩大,日趋以经济利益为目的,并正在对多个大型数字货币交易所进行攻击渗透。
The APT-C-26 (Lazarus translator "Lazarus") is an active APT organization since 2009. This is another active attack by Lazarus’s senior threat response team that continues to track down the organization after 360’s “Celas Trade Pro” attack on digital encrypted currency last year.
Lazarus组织攻击金融等行业重大事件:
Lazarus attacked major events in the financial sector, among others:
2014年,索尼影视娱乐公司遭到黑客袭击,美国政府出面谴责Lazarus的行为;
In 2014, Sony Film and Recreation was hit by hackers and the United States Government denounced Lazarus'actions;
2016年2月,一个未知的攻击者试图从孟加拉国中央银行窃取8100万美金,事后多篇分析报道称该事件与Lazarus组织有关;
In February 2016, an unknown assailant attempted to steal $81 million from the Central Bank of Bangladesh, after which several analyses reported that the incident was linked to Lazarus;
2016年5月,BAE公司遭到袭击,公布了一份有关攻击者使用的擦除程序的代码分析,事后Anomali实验室确认这一工具与Lazarus组织的擦除工具代码极为相似;
In May 2016, BAE was attacked and a code analysis of the scrubbering procedures used by the attackers was published, after which Anomali Laboratories confirmed that the tool was very similar to Lazarus's excavator code;
2017年2月份,波兰媒体的一篇报道打破了关于一次银行攻击事件的平静,赛门铁克从波兰受攻击的
In February 2017, a Polish media report broke the calm over a bank attack, and Simon Tek was attacked from Poland.
金融部门提取到Lazarus组织惯用的擦除工具(根据字符串重用的线索)。
The financial sector extracts the scrubbing tools used by Lazarus (based on threads to be reused by string).
交易所自查:
Exchange self-censorship:
IOC
Md5
3efeccfc6daf0bf99dcb36f247364052
8b4c532f10603a8e199aa4281384764e
b63e8d4277b190e2e3f5236f07f89eee
domain
wb-invest.net
wb-bot.org
建议各大数字交易所和用户做好以下几点防御措施:
It is recommended that major digital exchanges and users put in place the following defensive measures:
1.建议交易所加大安全投入,增加安全风控;
1. Recommends that the exchange increase its security input and increase its safety wind control;
2.及时关注服务器异常、端口异常开放、配置被修改等情况;
2. Timely attention to server anomalies, unusual port openings, modified configurations, etc.;
3.密切掌握交易所收益异常、零钱归集异常、冷、温、热钱包地址被篡改等信息;
3. Close access to information on unusual exchange earnings, irregularities in the collection of petty cash, cold, warm, and tampering with the address of the hot wallet;
4.提早预警交易所大额储值、提币多账号登录、热钱包被提供;
4. Large stock values of the early warning exchange, multiple account entries of coins, and hot wallets are provided;
5.勤对账及时发现账目异常,对账异常后及时关闭冲提止损。
5. The reconciliations were performed in a timely manner to detect irregularities in the accounts, and the reconciliations were closed in a timely manner.
6.当系统预警后能全自动拦截提币,并只能通过人工确认无误后方行。
6. When the system alerts, it is fully automatic to intercept the coin and only by manual confirmation of the rear row.
关于此类事件的更深入分析请关注国际安全智库的后续报告,同时提醒数字货币交易所以及个人用户提升安全意识并且采取必要的安全策略保护自身,不要轻易信任第三方用户。
More in-depth analysis of such incidents should be followed by follow-up reports from the International Security think tank, while reminding digital money exchanges and individual users to raise security awareness and adopt the necessary security strategies to protect themselves and not to trust third-party users easily.
来源:国际安全智库
Source: International Security think tank.
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论