The U.S. Consumer Financial Protection Bureau (CFFB) recently issued an advisory on the risk to consumers posed by virtual and cryptocurrencies, like Bitcoin. This warning from the CFFB couldn’t have come at a better time given the growing number of stories we’re seeing on hackers targeting cryptocurrencies. Andy Greenberg of Wired recently uncovered how a hacker took control of an ISP to steal bitcoins.
According to the researchers Greenberg talked with, “a bitcoin thief redirected a portion of online traffic from no less than 19 ISPs, including data from the networks of Amazon and other hosting services like DigitalOcean and OVH, with the goal of stealing cryptocurrency from a group of bitcoin users.”
The details of the attack are still emerging, however, what is clear is that an employee’s credentials were exploited. It’s not clear if this was done by an outsider, via phishing or by using other techniques, or if this was a malicious insider situation.
The employee’s privileged account credentials were clearly used to perform an attack known as BGP hijacking (border gateway protocol attack), effectively routing the network traffic at the connection points between Internet networks.
In other words, the attacker was able to broadcast a spoofed command that redirected traffic from other networks to a server controlled by him/her. From that server, the hacker sent the mining computers a “reconnect” command and changed the machines’ configurations to deliver the processing power to a pool owned by the attacker.
So what could the ISP have done? For starters, monitoring the actions and commands sent to the routers at the border gateway could have been helpful in order to detect and prevent this attack.
More importantly, they should have been monitoring the activity of their privileged accounts. This would have enabled them to discover anomalous behavior which could indicate account hijacking or malicious insider activity.
If you’re interested in learning more about how privileged account activity can tip you off to an advanced attack, check out Roy Adar discussing privileged threat analytics.