Client Overview: Our client is a prominent company in the Web3 space, specializing in offering cryptocurrency solutions. As a major player in the industry, they provide secure platforms for buying, selling, and trading digital currencies, enabling users to engage with cryptocurrencies in a seamless and trustworthy environment. Given the sensitive nature of the services they offer, their platform security is paramount, with strict access controls and robust internal safeguards designed to prevent any unauthorized access.
The Incident: A Critical Security Breach
The client reached out to us with an urgent and critical incident: an attacker had somehow gained access to their whitelisted internal network, which was explicitly designed to be accessible only by trusted internal IPs. This network is home to the client’s most critical components, and unauthorized access to it could have devastating consequences, especially given the sensitive data and financial transactions being handled. The attacker attempted multiple login attempts to breach the system, further escalating the severity of the issue. The client was understandably concerned, as this was a matter of immediate and high priority for the security of their infrastructure.
Challenges Identified
Upon receiving the incident alert, we immediately mobilized our team to assist the client. However, the investigation was not straightforward due to several key challenges:
- Incomplete Server Logs: The server logs provided by the client were incomplete and difficult to analyze. The client’s server hosted multiple applications on the same infrastructure, with each serving multiple domains. This created a log volume issue, as the logs were not segregated by individual application or domain, making it hard to trace the specific request associated with the attack.
- Limited Logging Configuration: The server was configured with basic logging mechanisms, logging only endpoints and request sizes, but crucial information such as domain names and source IP addresses was not being captured. This made it difficult to trace the attacker’s activity and understand how they managed to bypass the security measures.
- Whitelisting Bypass: The internal network was protected by a whitelisting mechanism, restricting access to only internal IP addresses. However, we needed to determine how the attacker had bypassed this restriction, and if there were any vulnerabilities in the configuration that could have allowed unauthorized access.
Despite these challenges, we were determined to help the client resolve the issue as quickly as possible.
Engagement Overview: Our Response
1. Understanding the Situation and Network Flow: The first step in our process was to fully understand the network flow of the client’s architecture, especially how the internal network was segmented from the public-facing internet. We collaborated closely with the client’s internal security and IT teams to gather all available information about the infrastructure and access controls in place.
2. Server Logs Review: Upon receiving the server logs, we quickly realized they were insufficient for a detailed analysis. The logs were too general and did not provide the detailed insights we needed, such as source IPs, domain names, or specific endpoints that were accessed during the attack. However, we made the best of the situation by combing through the available logs to identify patterns or anomalies. This was a challenging task, but we were able to filter through the logs and find relevant traces of the attack.
3. Investigating IP Restriction Bypasses: The next phase of our investigation involved assessing potential IP restriction bypasses. Since the attack occurred within the confines of the whitelisted network, we hypothesized that the attacker might have found a way to bypass the access controls. Our team systematically tested the platform for misconfigurations that could allow access to the internal network. Through detailed testing, we discovered that the system did not properly restrict access to the internal IP addresses, allowing us to directly access the IP address of the protected domain. This bypassed the intended security measures, and upon accessing the IP directly, we were met with a blank page, which gave us a hint that the application was still accessible in some way.
4. Identifying Web Directories on the IP: During the reconnaissance phase, we began searching for web directories on the exposed IP address. After some initial probing, we found several directories that were not adequately secured and were publicly accessible. This discovery was a crucial turning point in our investigation. We immediately communicated this finding to the client, pointing out that the misconfiguration had allowed us to access these directories, and that it was likely the attacker had done the same.
5. Accessing the Application Directory: In collaboration with the client’s IT team, we identified the exact directory where the application was stored on the server. By accessing this directory through the exposed IP address, we were able to gain entry to the application itself. This misconfiguration had allowed the attacker to bypass the security controls and potentially exploit the system further.
6. Immediate Action and Remediation Recommendations: Once the issue was identified, we immediately shared our findings with the client. We explained the misconfiguration that had allowed the attacker to bypass the IP restrictions, and we provided recommendations for immediate remediation. This included securing the directories, restricting access to the internal network, and implementing more granular logging to ensure that any future breaches could be more easily traced. Given the severity of the situation, we helped the client take swift action to block unauthorized access, correct the misconfigurations, and secure the exposed components. These changes were implemented within an hour of our discovery.
7. Rapid Resolution and Collaboration: The rapid resolution of this incident was a testament to the close collaboration between our security team and the client’s internal team. While the challenge was complex, the mutual efforts of both teams allowed us to quickly address the vulnerability and secure the client’s infrastructure.
Outcome and Conclusion
The incident was resolved within 1 hour, and the client’s critical component was safeguarded against further attacks. The misconfiguration was rectified, and the necessary security controls were put in place to prevent similar issues in the future. This case underscores the importance of secure configuration and comprehensive logging for sensitive infrastructure, especially in high-stakes environments like the Web3 and cryptocurrency sectors. By working closely with the client, we were able to identify a significant security flaw, mitigate the risk, and restore confidence in their platform’s security.
In the end, the collaborative nature of our response allowed the client to address the issue rapidly and confidently, ensuring their systems remained secure and operational.