Workload and Application Security Blog

How the November 2019 Monero Supply Chain Hack Was DiscoveredAnd what it takes to block these kinds of attacks

Written by Cameron Naghdi | Jan 14, 2020 10:59:39 PM

By now, many people have heard of the Monero Supply Chain Hack, cryptocurrencies and Bitcoin. Some may even understand how a Blockchain (the underlying technology behind Bitcoin) works. If you don’t, I recommend the following video that gives a good description of how this works.

View Blockchain video: https://www.youtube.com/watch?v=SSo_EIwHSd4

Some quick points from the video:

Each block in a blockchain contains identifying info and the technique in 1991 was originally intended to timestamp digital documents so they couldn’t be backdated or tampered with them. Similar to a notary. In 2009, Satoshi Nakamoto adapted the technique to create the digital cryptocurrency Bitcoin.

A blockchain functions as a distributed ledger, which is synchronized and shared digital data that is completely open to anyone. Once data has been recorded inside, it’s very difficult to change that data, including transaction data such as the sender, receiver and amount of coins.

A block also contains a hash, which is like a fingerprint – it identifies the block and all its contents and it’s always unique. As block content changes, so does the hash. A critical element of a block is the hash of the previous block, which creates the chain of blocks.


Source: Simply Explained

The Monero Supply Chain Hack

In the Monero Supply Chain Hack, the official Monero cryptocurrency project website was hacked. An attacker planned to steal funds from users’ wallets by stealthily replacing legitimate Linux and Windows binaries that were available for download with malicious versions. It took a sharp user to spot the discrepancy. The Monero user noticed the cryptographic hash for binaries he downloaded from the official site didn't match the hashes listed on it.

The Monero team did an immediate investigation and confirmed that its website, GetMonero.com, had in fact been compromised. Users who had downloaded the CLI wallet between Monday November 18th 2:30 am UTC and 4:30 pm UTC were potentially affected.

Now that we have the basics out of the way, let’s talk about why blockchain matters. Digital currencies are becoming very popular with multiple governments and financial institutions. Even as recently as this year, Facebook announced the Libra project. This digital revolution should not be feared, and I have frequently equated this evolution in technology to the Credit Card revolution. We see increasing numbers of folks in the financial space adopting the technology behind the scenes through projects like Ripple (XRP*) and Stellar (XLM*). Large financial institutions use these projects to increase the speed of delivery and lower fees along the way. But along with the advantages of new technology, come new threats.

Proof of Work Verification

If you watched the video above, you understand that some currencies use a Proof of Work approach to verify the accuracy of the data uploaded. This method is supported by folks who use computing power to do this for a fee. This practice is commonly called “mining.”

Mining can be done on CPU’s and GPU’s like those commonly found in our home PC’s. There are also folks who mine on ASIC’s and FPGA technology. To support this workflow, people download miner programs to take advantage of the hardware they have. This is where the Supply Chain attack took place. The github repository for the Monero (XMR) project was compromised and new miner files were uploaded by a hacker. The goal was for the hacker to infect miners and steal private keys for wallets and thus the crypto currency the miners had at the time.

The user with a keen eye who discovered breach noticed the hash of the file downloaded did not match the hash on the Github repository. A simple step that a lot of us already use in the security space. The user then alerted the project owners and the infected files were removed. This attack is important for a few reasons I’ve outlined below.

  1. The software for Monero executed a large update (fork) on Nov. 30th
  2. This event required miners to update their mining software
  3. The new algorithm is specifically built for CPU’s and is resistant to GPU’s, ASIC’s and FPGA’s
  4. This change will support further decentralization for Monero which is considered to be very valuable since Monero’s focus is user privacy.

Quite honestly, I feel we will see increased attacks targeting either Monero miners or a resurgence in crypto jacking malware. In other words, what was true back in November is even more so now and we are likely to see an uptick because the attackers have had time to modify payloads.

Additionally, it’s much more profitable for hackers to target large numbers of computers for infection. The more they infect, the more cryptocurrency the hackers will be able to collect without the overhead of hardware or electricity costs.

It Takes More Than AV to Block These Attacks

Users and admins can spot these attacks in a number of ways beyond just doing resource monitoring. Using solutions like Virsec’s to monitor servers allows users to do the following:

- Spot new files being placed on servers

- Monitor critical files that are being modified by an attacker (how this attack was discovered)

- Identify new processes that the attacker is starting

- Catch attackers attempting to add new startup scripts to business-critical applications or resources.

- Catch buffer overflow errors and other memory based attacks

Remember, it is no longer considered good enough to simply put an EPP* solution on your business-critical servers. If you would like to learn more, please visit www.virsec.com.

 

*endpoint protection platform

Further resources:

Watch a Crypto-Mining Attack in Action

Steps Companies Can Take to Stop Crypto-Miners from Hijacking Servers

https://virsec.com/steps-companies-can-take-to-stop-crypto-miners-from-hijacking-servers-2/

 

Sources:

Primary Photo above by André François McKenzie

https://thehackernews.com/2019/11/hacking-monero-cryptocurrency.html

https://thehackernews.com/2019/11/hacking-monero-cryptocurrency.html?m=1&fbclid=IwAR1HVI3rD9so_NolQaxUoV_4d4ampkC5opHDJrS6AZshaI3E6LGsiFeyrW8

*XRP is the cryptocurrency used by the Ripple payment network. Designed for enterprise use, it’s a cost-efficient cryptocurrency that’s fast and more scalable than any other digital asset. Stellar is an open source, decentralized protocol for digital currency used for money transfers and cross-border transactions between any pair of currencies, including financial institutions in developing markets. Its currency is the Lumen (XLM).