Professional Documents
Culture Documents
ShapeShift Cyber Attack Report
ShapeShift Cyber Attack Report
Established Facts
The following facts were established following the preliminary investigation:
Prior to these commands, the auth.log showed the last login to the server was
completed via public key authorization on 2016-04-09 at 8:44:37 UTC by a key with
RSA fingerprint 9d:35:fd:6d:60:a8:6e:2e:56:f3:d0:ac:07:79:7f:cb. This is
consistent with a known employee login to Simpson via VPN connection from the
employees home. This SSH connection remained open until 13:04 UTC, suggesting
the employees session was used to breach the Simpson server.
Although significantly more analysis was performed, the operating systems
configuration prevented additional artifacts from being generated following user
and system actions, resulting in insufficient evidentiary data.
Infrastructure2 Analysis
Following the analysis of Simpson, a bitstream image of the server that ran
ShapeShifts core exchange code from Infrastructure2 was obtained using a
combination of dd, gzip2, and netcat. For the purpose of this report, this machine
will be identified as Lenny. The sha1 hash of the disk image was calculated as
41b5bc88fd7ab4ef0844069df51fc281caa59338.
Analysis of Lennys Ubuntu operating systems configuration revealed that similar
to Simpson there was no logging or auditing configured beyond the default
configuration that ships with Ubuntu. Analysis of the /var/log/auth.log file
showed tampering via overwriting unlike Simpson which had its log deleted. The
last few lines of the log were overwritten with NULL (0x00) bytes, preventing digitalforensic recovery.
Analysis of the /bin folder identified the installation of the same rootkit identified
on the Simpson server at the same path: /bin/udevd-bridge.
Although significantly more analysis was performed, no data artifacts were
identified that could help identify how the back-door was placed on Lenny, or who
performed it.
Analysis
Since direct evidence of a specific attack vector was not found during the digitalforensic investigation, an analysis of the available facts was performed to identify all
possible attack vectors that fit the facts. It was noted that the attacker was not only
able to compromise both infrastructures fairly quickly, but they were able to identify
their IP addresses equally as fast. The following attack vectors were possible
avenues of attack sorted in order of probability:
1. An(other) employee with access to both Simpson and Lenny performed or
assisted with both attacks;
2. A Remote Access Trojan (RAT) was installed on a laptop belonging to an
employee with access to both Simpson and Lenny. The compromised laptop
allowed Rovion to obtain the location of both new infrastructures and obtain
an SSH key for access;
3. A vulnerability exists in the ShapeShift source code that launched a reverse
shell to a machine under Rovions control. This source code ran on both
Simpson and Lenny, and upon reaching out to Rovions machine, told him
their IP addresses;
4. A vulnerability exists within one of the services running on the Ubuntu
operating system that was exploited to open a reverse shell to a machine
under Rovions control. This service ran on both Simpson and Lenny. Rovion
obtained the IP addresses of both machines via a communications channel
breach (i.e. email, Slack, etc.);
CCSS Assessment
Following the digital forensic investigation, LLI performed an assessment of the
ShapeShift infrastructure against the CryptoCurrency Security Standard (CCSS). The
assessment identified a number of aspects in which ShapeShifts controls were
sufficient for obtaining Level 3, however others were identified that left ShapeShifts
infrastructure as uncertified. Since CCSS requires unanimous compliance of all
aspects in order to achieve a security level, ShapeShifts resultant level was 0
Uncertified.
LLI drafted a list of security controls that must be implemented in order for
ShapeShifts infrastructure to be graded as CCSS Level 1. LLI staff worked with
ShapeShift staff to implement these controls.
Corrective Action
Although evidence of the specific attack vector could not be found due to both the
destruction of evidence by Rovion and the lack of logging configured on the servers,
a number of corrective actions would prevent each of the above attack vectors from
being exploited, thereby dramatically increasing ShapeShifts security. This section
outlines the corrective actions taken by the ShapeShift team under LLIs guidance:
Computing Hardware Replacement
All ShapeShift employees who had access to both Infrastructure1 and
Infrastructure2 received brand new computing hardware to ensure any RATs,
backdoors, or malware installed on their machines would not persist.
Communication Channel Replacement
All existing communication channels between ShapeShift employees have been or
are in the process of being replaced. This includes email accounts, Slack accounts,
and GitHub accounts.
In addition, all employees were given instructions on how to securely communicate
company secrets including IP addresses, API keys, SSH public keys, shared
passwords, etc. which were distilled in a company-wide security policy.
Cryptographic Key Replacement
All employees generated new GPG keys that were protected by strong passwords.
Employees also generated new SSH keys that were also protected by strong
passwords.
Employees were given instruction on the proper use of these keys when accessing
production and development servers, and were trained on the proper protocols for
the communication of secrets between users.
Future Enhancements
Although ShapeShift staff implemented numerous controls that enhanced security,
a few of LLIs recommendations were deferred for future implementation. These
recommendations are outlined here:
Multi-Signature Architecture
Although this is required for CCSS Level 2 and not Level 1, LLI recommends that
ShapeShifts architecture be re-architected to require multiple signatures. This
would prevent a single compromised employee from being able to misappropriate
funds on his or her own. End-users should be presented with a P2SH address (or
equivalent for its coin type) that is built from a script that requires 3 signatures 2
signatures from online signing agents that exist external to ShapeShifts
infrastructure, and a 3rd offline recovery key that is stored safely and securely.
Deterministic Keys
Although Deterministic Keys is another CCSS Level 2 requirement and not Level 1,
LLI recommends ShapeShifts architecture be re-architected to make use of
deterministic seeds. This practice would allow public-facing servers to calculate
information they need without communicating with private servers. Furthermore,
deterministic keys would remove the requirement to perform regular backups of
keys since a single backup at the time of implementation would be able to create
any key used by ShapeShift.
Key Backups, Environmental Protection, and Backup Access Controls
ShapeShifts current backup practices are not compliant with CCSS Level 1. In the
near future, key backups will become CCSS Level 1 compliant with the
implementation of deterministic seeds.
Once these backups are created, they can be stored in fire-proof / water-proof
containers with tamper-evident seals in a location that requires strong access
controls to ensure the backup strategy complies with CCSS Level 3
Data Sanitization Policy
A Data Sanitization Policy (DSP) should be drafted to ensure media on end-of-life
equipment is destroyed in a way that prohibits digital-forensic recovery of
confidential information.
Conclusion
The digital-forensic investigation, combined with the CCSS assessment, identified a
number of opportunities to increase ShapeShifts security. Ledger Labs worked
closely with ShapeShifts team to carry out these changes prior to the re-launch of
the site. Where changes could not be made immediately, ShapeShift has planned to
effect them in the near future once the exchange has been re-launched to the
public.
The type of breach experienced by ShapeShift has been observed in other bitcoin
exchanges in the industry. One notable difference in this case is that usernames,
passwords, and email addresses were not compromised alongside the
compromised servers due to ShapeShifts unique information-less exchange
architecture. Ledger Labs will continue to work with ShapeShift to ensure the
highest level of security for their exchange.