Safe public Preliminary report On March 6th, we attributed a violation that led to a bi-bit hack on a compromised developer laptop. The vulnerability has injected malware and allows for hacking.
The perpetrator circumvented multifactor authentication (MFA) by leveraging active Amazon Web Services (AWS) tokens to allow for unauthorized access.
This has led hackers to change Bybit's secure multi-signature wallet interface, changing addresses that are supposed to send Ethereum (ETH) worth around $1.5 billion, making it the biggest hack in history.
Developer Workstation Compromise
This violation came from a compromised MacOS workstation belonging to a secure developer called “Developer1” in the report.
On February 4th, a contaminated Docker project communicated with a malicious domain named “GetStockPrice”[.]Propose social engineering tactics. Developer 1 compromised the laptop by adding files from a compromised Docker project.
The domain was registered via Namecheap on February 2nd. Slowmist later identified GetStockPrice[.]Information that is a domain registered on January 7th as a known indicator of compromise (IOC) caused by the Democratic National Republic of Korea (DPRK).
The attacker accessed the AWS account of Developer 1 using a user agent string titled “Distrib#Kali.2024”. Mandiant, a cybersecurity company tracking UNC4899, noted that the identifier corresponds to the use of Kali Linux, a tool set commonly used by offensive security practitioners.
Additionally, the report revealed that attackers mask origins while using ExpressVPN. That too The attacks emphasized that they resemble previous cases involving UNC4899, a threat actor associated with Tradertraitor, a criminal gang that allegedly linked to DPRK.
In previous cases starting in September 2024, UNC4899 utilizes telegrams to manipulate crypto exchange developers to troubleshoot Docker projects and deploy PlottWist.
Utilizing AWS Security Controls
Safe's AWS configuration required MFA reauthentication to a Security Token Service (STS) session every 12 hours. The attacker attempted, but was unable to register his own MFA device.
To bypass this restriction, we hijacked an active AWS user session token through malware planted in a workstation in Developer1. This allows for unauthorized access while the AWS session remains active.
Mandiant has identified three additional UNC4899-related domains that are used in secure attacks. These domains, registered via Namecheap, have appeared in AWS network logs and Developer1 workstation logs, demonstrating the broader infrastructure exploitation.
Safe said it has implemented important security reinforcements following the violation. The team restructured its infrastructure and increased security well beyond the level of advance. Despite the attack, Safe's smart contracts are unaffected.
Safe's security program included restricting privileged infrastructure access to several developers, implementing separation of development source code and infrastructure management, and requiring multiple peer reviews before production changes.
Additionally, a safe pledge has been pledged to maintain a surveillance system to detect external threats, conduct independent security audits, and utilize third-party services to identify malicious transactions.
