Yesterday Bill Toulas of Bleeping Computer wrote:
"DNS hijacks target crypto platforms registered with Squarespace" (https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-platforms-registered-with-squarespace/):
Β« A wave of coordinated DNS hijacking attacks targets decentralized finance (DeFi) cryptocurrency domains using the Squarespace registrar, redirecting visitors to phishing sites hosting wallet drainers. Β»
Not mentioned is that the attackers probably attemped (and possibly succeeded) to obtain valid https certificates for their fake servers. A bit of research using crt.sh (and VirusTotal) reveals the following i.r.t. the four DeFi domains mentioned in the article, in the same order of appearence.
ββββββββββββ
1) compound.finance
ββββββββββββ
They seem to be unaffected: according to https://crt.sh/?q=compound.finance *NO* certificates were approved since July 5.
Note that it is very irresponsible behavior of GTS (Google Trust Services) to *not always* (but rather *sometimes*, like https://crt.sh/?id=13624751017) log leaf certificates in the CT (Certificate Transparency) ledger (Google *does* always seem to log precertificates, but precisely in a case like this they are *less* interesting).
For more info on the erratic GTS behavior, the pointlessness of short lived certs and the difference between a "precertificate" and a "leaf certificate", see my response to this toot (which I'll add later).
βββββββββ
2) celer.network
βββββββββ
According to https://crt.sh/?q=celer.network, one precertificate was issued on July 11: https://crt.sh/?id=13694629335 (by LE = Let's Encrypt). Because LE leaf certs are always logged to CT, it looks like someone prevented counter signers from issuing a usable certificate - that would be a near success (for the attackers)
Note #1: at the top of https://crt.sh/?id=13694629335 one can read that Digicert and Sectigo already had countersigned this precertificate.
Note #2: in 2022 a DV certificate was issued for cbridge-prod2.celer.network which, as the result of a deliberate BGP hijack, led to a totally different attacker-owned server: https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ (more details here: https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the).
βββββββββββ
3a) pendle.finance
βββββββββββ
As can be seen in https://crt.sh/?q=pendle.finance, a precert and a leaf cert (https://crt.sh/?id=13700814700&opt=ocsp) have been issued on July 11 by Sectigo, most likely to the attackers (*). This cert is valid for 1 year.
And it has not yet been revoked!
This means that, *if* it is in the hands of attackers (provided that they possess the associated private key, a certificate is public), it can be used in attacks where DNS-responses to individuals are forged.
(*) Because of the date (July 11) and because the owners of '*.pendle.finance' and 'pendle.finance' did not need a new "1 year valid" cert at all (I'd expect a new request in Jan. 2025):
2024-07-11 - 2025-07-11 <= weird
2024-02-13 - 2025-02-12 (2x)
2023-03-06 - 2024-03-05
βββββββββββββββββββ
3b) pendle.fi (==> pendle.finance)
βββββββββββββββββββ
https://crt.sh/?q=pendle.fi reveals that one precert was issued specifically for 'campaign.pendle.fi' on July 11.
Zooming in to https://crt.sh/?q=campaign.pendle.fi reveals one precertificate, issued by LE; like the 'celer.network' precert this attack appears to have been stopped in time (provided that crt.sh would have been updated by now *if* the leaf cert was actually issued.
Note #1: the owners of 'pendle.fi' had not used that subdomain name 'campaign' before (OTOH 'campaign.pendle.finance' was used before). So this may have been a carefully planned attack where a *subdomain* was added to the DNS records of 'pendle.fi', a technique called "domain shadowing" (https://unit42.paloaltonetworks.com/domain-shadowing/).
Note #2: in https://crt.sh/?spkisha256=5e3bbe888394436be58b950a67af6be91877992d73258e237030ce1db6bd4114 can be seen that a GTS leaf cert was logged to CT on July 11, while the corresponding precert had been logged on May 27 (such delayed logging sucks, but apparently it was not obtained by the attackers).
βββββββββββββββββ
4) unstoppabledomains.com
βββββββββββββββββ
Although I found some weird things i.r.t. certificates issued for this domain, I found no evidence that attackers managed to obtain DV certs for their servers impersonating "unstoppable domains".
βββββββ
Conclusion
βββββββ
Again DeFi sites have been subjected to attacks. It looks like most attacks were detected in an early stage, but some users may have been unlucky by accessing fake sites for the time they existed.
I'm not fully sure whether the 'pendle.finance' leaf cert issued by Sectigo was requested by the legitimate domain owner, or by attackers (it has not been revoked).
IMO, DV certs (even short lived ones, bacause *hours* may suffice for attackers) do not sufficiently protect against BGP or DNS hijack attacks, and neither against "legitimate" Man-in-the-Middle proxying as used by parties like Cloudflare and Fastly (https://infosec.exchange/@Bitwiper/112772374882006712), or by "near the server" MitM attackers (https://notes.valdikss.org.ru/jabber.ru-mitm/).
@BleepingComputer @billtoulas
#DV #DomainValidated #Certificates #DeFi #Crypto #CryptoCoins #BGPHijack #DNSHijack #DNS #BGP
Semur Jengkol
Hackread.com
ITSEC News
Bitwiper
dispatch