Lessons Learned from a $67 Million Cryptocurrency Hack of NiceHash

Lessons Learned from a $67 Million Case Study Cryptocurrency Hack$67 million worth of bitcoin was stolen from a cryptocurrency-mining marketplace NiceHash that connected people in need of computer-processing power to people who have power to spare to mine for cryptocurrencies. In return, payment was made in bitcoins. Through tactics, techniques, and procedures, the theft was ultimately linked to Hidden Cobra, a threat actor with ties to North Korea. In this case study, we will present the lessons learned from a $67 Million Cryptocurrency Hack of NiceHash.

While not too technically advanced, this attack was executed with military precision, taking advantage of common security weakness found in many startups, resulting in an unprecedent financial theft.

The Security Weaknesses:
Missing formalized Incident Response Plan and Security Policies
Limited end point security monitoring, detection and response
Hosting provided, in cloud, provides limited ability to cooperate with Incident Response team.
The Virtual Private Network (VPN) only required an id and password was in use to connect to the servers hosted in at a cloud provider’s data center.
The private key for Secure Shell, a network protocol that provides administrators with a secure way to access a remote computer, was not password protected.
Key information and files were encrypted at the storage level but not at the logical level.
The logs, specifically of the firewall and the VPN servers, were not available for part of the attack period.

LIFARS Services:
Given LIFARS’ reputation and expertise, LIFARS was called to respond to the initial system compromise, and provide incident response service, including gathered forensics evidence for US and international law enforcement agencies, including local state Digital Forensic Unit, US Secret Service, FBI, DHS, IRS, and Europol.

In the process, LIFARS cooperated with international law enforcement agencies. From the compromised artifacts and attack methodology, LIFARS identified the threat actor. LIFARS also ensured the incident was contained and had not spread to any other servers.

LIFARS Recommendation & Take-A-Ways:

Although the cryptocurrency platform NiceHash was hacked and the theft was large, this was not a highly technical hack. Basic security best practices would have blocked this attack. The following best practices should have been implemented:

Download Case Study to learn more about lessons learned from a $67 Million Cryptocurrency Hack of NiceHash.