Hacked servers at Linode, stolen about 50K BTC ($ 250K)
The first day of spring was marked by a major theft of bitcoins. The attackers chose the owners of bitcoins, who kept their wallets in the cloud hosting Linode.com as their victims.
The first to notice the traces of the attack was the owner of one of the well-known mining pools mining.bitcoin.cz Marek Palatinus, known in bitcoin-circles under the nickname slush . As he writes on his blog, early in the morning he received an SMS stating that the balance of the wallet used by his pool for paying namenennyh coins dropped below the set threshold. As he began to figure out what was happening, he saw that 3094 coins had been transferred to a certain wallet ( here you can see this transaction.) A quick check of the running services of the pool revealed no signs of hacking. However, he then discovered that two of his servers on Linode were reset and the root password was changed to them. (The bitcoin wallet was stored on one of these virtual machines.) It was made from the admin panel (Linode Manager), Slush immediately contacted Linode, who at first could not explain what happened except by compromising the admin password. But slush was sure of the complexity and uniqueness of his password, besides there were no entries about changing the password and reloading in the log of completed tasks, and there were no traces of entering the admin panel during the hacking.
After an escalation of the problem and a more thorough investigation, Linode experts confirmed the fact of hacking and reported that the attacker used the web interface for support staff (which allows him to push the insider version). The compromised accounts were blocked, all victims were notified. All the victims were somehow connected with Bitcoin, that is, the attack was targeted and planned. There were eight victims in total, the largest was Bitcoinica , which lost 43,554 BTC or about 200 thousand dollars at the current exchange rate.
')
Linode posted a short incident report (a more detailed official announcement is expected). It assures that other users of the service, except these eight, have not suffered in any way; Neither user passwords to Linode Manager, nor credit card information were compromised.
Bitcoinica assured that all losses are assumed and its users will not be affected. On the hacked server there were no important passwords or user data. In the case of pool mining.bitcoin.cz, there is a possibility of a user base leakage. And, although the passwords were stored as hashes (SHA1 with salt), users are encouraged to change them.
1. Every coin has two sides, including an anonymous Bitcoin. On the one hand, no one will be able to trace and prove that it was you who sold 10 kg of heroin yesterday on SilkRoad (and sent half of the war in support of Wikileaks ). On the other hand, you sit and see how your bitcoins are leaking. The Bitcoin transaction is not an instant event, it is confirmed as information spreads over the network (which in itself is worthy of philosophical reflection). And you even know exactly where the flow is, on which wallet. But you can not do anything. And here even the FSB with Interpol will not help.
2. Do not put all your eggs in one basket. Well done slush, he did just that, his fixed assets were offline, that is, on an encrypted wallet, and the worker had only the minimum amount necessary to keep the pool running. Losing 12K euros is of course very disappointing, these are many months of work of all users of the pool. But it's better than losing everything.
3. If you roll hundreds of thousands of dollars, even virtual ones, think about security seriously. Perhaps cheap VPS in a public cloud is not the best infrastructure for this.
4. Bitcoins still gain liquidity, once they are stolen.
The first to notice the traces of the attack was the owner of one of the well-known mining pools mining.bitcoin.cz Marek Palatinus, known in bitcoin-circles under the nickname slush . As he writes on his blog, early in the morning he received an SMS stating that the balance of the wallet used by his pool for paying namenennyh coins dropped below the set threshold. As he began to figure out what was happening, he saw that 3094 coins had been transferred to a certain wallet ( here you can see this transaction.) A quick check of the running services of the pool revealed no signs of hacking. However, he then discovered that two of his servers on Linode were reset and the root password was changed to them. (The bitcoin wallet was stored on one of these virtual machines.) It was made from the admin panel (Linode Manager), Slush immediately contacted Linode, who at first could not explain what happened except by compromising the admin password. But slush was sure of the complexity and uniqueness of his password, besides there were no entries about changing the password and reloading in the log of completed tasks, and there were no traces of entering the admin panel during the hacking.
After an escalation of the problem and a more thorough investigation, Linode experts confirmed the fact of hacking and reported that the attacker used the web interface for support staff (which allows him to push the insider version). The compromised accounts were blocked, all victims were notified. All the victims were somehow connected with Bitcoin, that is, the attack was targeted and planned. There were eight victims in total, the largest was Bitcoinica , which lost 43,554 BTC or about 200 thousand dollars at the current exchange rate.
')
Linode posted a short incident report (a more detailed official announcement is expected). It assures that other users of the service, except these eight, have not suffered in any way; Neither user passwords to Linode Manager, nor credit card information were compromised.
Bitcoinica assured that all losses are assumed and its users will not be affected. On the hacked server there were no important passwords or user data. In the case of pool mining.bitcoin.cz, there is a possibility of a user base leakage. And, although the passwords were stored as hashes (SHA1 with salt), users are encouraged to change them.
Moral of the story
1. Every coin has two sides, including an anonymous Bitcoin. On the one hand, no one will be able to trace and prove that it was you who sold 10 kg of heroin yesterday on SilkRoad (
2. Do not put all your eggs in one basket. Well done slush, he did just that, his fixed assets were offline, that is, on an encrypted wallet, and the worker had only the minimum amount necessary to keep the pool running. Losing 12K euros is of course very disappointing, these are many months of work of all users of the pool. But it's better than losing everything.
3. If you roll hundreds of thousands of dollars, even virtual ones, think about security seriously. Perhaps cheap VPS in a public cloud is not the best infrastructure for this.
4. Bitcoins still gain liquidity, once they are stolen.
Source: https://habr.com/ru/post/139314/
All Articles