This attack is at the application layer, which is more expensive to launch as the attacker would have to first establish the TLS handshake.
The attack was against a crypto launchpad.
This attack was launched from a botnet of approximately 6,000 unique bots. It originated from 112 countries around the world. Almost 15% of the attack traffic originated from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.
https://blog.cloudflare.com/15m-rps-ddos-attack/
- Threat intelligence:
identify the adversary, extract TTPs, create a plan (e.g will the procedure the adversary uses trigger alerts?). Good source for TTPs: https://www.thedfirreport.com
- Security operations centers
- Threat hunting
- Incident response
- Forensics
- Vulnerability management/Blue team
- Red team (offensive. Stealth engagement)
- Purple team (virtual team)
Below is the procedure for the purple team exercise against a TTP. It is important to measure how quickly an attack can be detected and responded to, to limit the potential damage.
Ronin is a sidechain of Ethereum. It is where the play-to-earn game Axie Infinity runs.
The reason that the game runs on Ronin instead of directly on Ethereum is simple: Ethereum is slow and expensive.
To help people swap between their tokens in the Axie ecosystem (SLP, AXS, RON, WETH) and mainstream tokens people use popular digital wallets such as MetaMask to manage, Ronin developed a bridge between the Ronin network and Ethereum. A bridge is a pair of smart contracts that run on both sides of the bridge, locking and releasing tokens and guaranteeing payment versus payment (PvP).
The only problem is that Ronin only has nine nodes using a POA protocol. The hacker was able to compromise 5 nodes and therefore gain majority control to issue bogus transactions.
The end result: 173,600 ETH and 25.5 million USDC that had been locked in the bridge were drained. At prices as of the hack, this was worth more than $625 million.
https://blog.mollywhite.net/axie-hack/
This attack is hitting multiple buzzwords.
MailChimp has confirmed that some of their employees fell for a social engineering attack that led to the theft of their credentials.
"The
incident was propagated by an external actor who conducted a successful social
engineering attack on Mailchimp employees, resulting in employee credentials
being compromised."
These
credentials were used to access 319 MailChimp accounts and to export "audience
data," likely mailing lists, from 102 customer accounts.
In
addition to viewing accounts and exporting data, the threat actors gained
access to API keys for an undisclosed number of customers, which have now been
disabled and can no longer be used.
Using
these compromised API keys, a threat actor can create custom email campaigns,
such as phishing campaigns, and send them to mailing lists without accessing
MailChimp's customer portal.
This
attack is reminiscent of recent breaches by the Lapsus$ hacking group,
who used social engineering, malware, and credential theft to gain access
to numerous well-known companies, including Nvidia, Samsung, Microsoft, and Okta.
The
Okta breach was accomplished through a similar method as MailChimp, by
social-engineering a contractor who had access to internal customer support and
account management systems.
