Awake Security Q&A: New Crypto Attack Hides in Encrypted Browser Traffic
Awake Security recently discovered a new attack that hides in encrypted browser traffic to perform cryptocurrency theft. By hiding in encrypted traffic, the attack is able to evade detection by leveraging popular high reputation domains like Pastebin for command and control.
Why are hackers drawn to utilizing encryption? What makes it attractive? What are its drawbacks?
Encryption allows attackers to hide the specifics of their attacks from security tools and analysts. It's attractive because the industry has still not found a solution that has proven to be widely affective in addressing many threats once they are encrypted -- many security products are still looking for static signatures that can only be found in unencrypted traffic. It's also attractive because it's very easy to implement. Every browser and operating system, and virtually every piece of software supports SSL/TLS encryption; and there are free certificate providers such as Letsencrypt that provide an extremely easy method of supporting encryption that will be viewed as legitimate by applications on attacker's infrastructure.
Describe this new attack you found – how can attackers steal cryptocurrency? Who is at risk?
Similar to how you would expect someone might steal money from your online bank account. There are apps and extensions that interact with cryptocurrency wallets such as ledgerwallet; these use an open source and common API (a method for communicating with the wallet servers using computer code) to interact with a user's wallet. The user sees the User Interface for the application where they can buy and sell cryptocurrency, check their balance, etc... But in the background all of that is handled by these API calls. The attacker takes advantage of that by running their own code using the APIs to steal the currency for themselves, rather than whatever the user wanted to do -- this is usually what you hear referred to as "browser hijacking" or "hijacking" in general.
How do you defend against this type of attack? What can orgs do vs what can consumers do to avoid becoming a victim?
Most organizations have some kind of email security solution in place and look for the obvious phishing attempts. However, this threat detection would likely evade all of those solutions since the traffic itself was encrypted but also since the domains in question range from the highly reputable (office365.com) to the not obviously bad (pastebin.com and ledgerwallet.com). However, when you add the context of the source application used for the communication and the sequence of network activities, it is possible to identify the phishing attempt. Security teams would therefore do well to apply such encrypted traffic analysis techniques that can uncover threats like this which go unnoticed today.
Consumers don't have access to the same level of security controls obviously, which is why it's always important to implement two factor authentication, use strong passwords (with a password manager if possible), and certainly be very mindful of what links you click in emails you receive, especially if you're logged into your bank or cryptocurrency wallet with a browser extension.
For more information about Awake Security, visit: https://awakesecurity.com/