Yesterday ClearSky, a security research group, released a report on a threat actor group called CryptoCore. As you may guess by the name, CryptoCore specifically targets cryptocurrency wallets and exchanges.
This group carefully and methodically social engineers companies that run exchanges for cryptocurrency like Bitcoin. At first, they target the personal account of an employee, perhaps a manager. Then, using the information from this person’s account they spear-phish an executive in an attempt to install malware on the executive’s personal computer. CryptoCore attempts to gather passwords through these spear-phishing attempts. These highly sophisticated attacks by CryptoCore allowed them to rake in over $200 million over the last two years.
While the issue lies with cryptocurrency exchanges, their lack of security gives us examples of what not to do in high security settings. Many exchanges lack the proper security to protect high-value targets that control millions of dollars. At no point should one person’s password control the exchange. CryptoCore attempts to disable multi-factor authentication if it exists but a properly configured server should never allow this. Additionally, even the owner or CEO of an exchange should never access the administrator’s account from their work or personal computer. Instead, administrative access should be restricted to a dedicated server with no Internet access for this purpose. This way an adversary can’t disable multi-factor authentication without physical access or through a vulnerability in the authentication. For the client side, you should use multi-factor authentication for any amount of money. If the exchange or any high-value target uses dedicated development servers and forces multi-factor authentication then even a compromised password, by itself, won’t allow access to the data.