Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for December 2017 is… the theft of $63 million in bitcoin from NiceHash.
NiceHash, based in Slovenia, describes itself as the world’s largest cryptocurrency cloud mining marketplace. NiceHash users lend their computer’s processing power to cryptocurrency mining, or pay to borrow power from other users. Most users move their cryptocurrency off the service, but some store their coins in NiceHash’s digital wallet.
In early December, the contents of NiceHash’s bitcoin wallet were stolen by hackers. An estimated 4,700 bitcoins were stolen, with a total approximate value of $63 million. It is unclear what percentage of the stolen bitcoins belonged to NiceHash customers, and how many belonged to the company. The site shut down for 24 hours following the attack, and CEO Marko Kobal stepped down soon after.
The specifics of the attack have not been described publicly, but it has been reported that hackers used a NiceHash engineer’s credentials to access the payment system. NiceHash’s head of marketing told the Guardian it was “a highly professional attack with social engineering.”
While the much-hyped technology behind cryptocurrency might be secure, cryptocurrency exchanges have proven to be a weak link in the chain, successfully targeted by hackers dozens of times. In 2014, 650,000 bitcoins disappeared from Japanese exchange Mt. Gox, possibly taken by hackers, leading to new Japanese laws regulating cryptocurrency. Just last month, another digital wallet for cryptocurrency, called Parity, was hacked. A 2016 study found that 33% of all bitcoin exchanges have been hacked at some point.
Based on what we know about the NiceHash breach, the hackers started with one of the most common initial attack vectors: social engineering. No matter how much cybersecurity technology improves, social engineering has remained a reliable approach for hackers because it only requires a single instance of human error to be successful. Because any employee can be targeted for social engineering—such as in the form of a phishing email—company-wide security training and awareness are crucial to prevent this type of breach.
Of course, this is easier said than done. In order to inform effective awareness around social engineering, security teams need to understand the nature of the threat in real time. Two important steps to help achieve this are (1) implement a system that makes it easy for employees to report all suspected phishing emails, and (2) keep a database of all phishing attempts, for ongoing analysis. These two steps should help you create a picture of social engineering attacks against your organization, which you can use to tailor your security awareness efforts.
Once the attackers had stolen a NiceHash engineer’s credentials, they were able to use those credentials to access the payment system. A well-tuned SIEM, integrated with a strong incident response platform (IRP), will help companies quickly identify and shut down this sort of unauthorized access. For example, if the engineer did not have any need to access the payment system as part of their duties, the unusual access attempt could be flagged by the SIEM, and escalated to the IRP for automated disabling of access, pending further investigation.
While your organization might not be as tempting a target as a digital wallet containing millions of dollars, it is still a certainty that you will face social engineering attacks at some point. We hope that this article gave you a few ideas to consider. If you want to learn more about how automation can be used to quickly shut down cybersecurity incidents, check out our recent briefing.
We’ll see you back here next month for a new Breach of the Month.