About this series
Last time, a malicious hacker got access to Poor Corp’s internal git repositories and used an open-source secret scanner to find and steal AWS keys. Using the stolen keys, the hacker gained deep access to Poor Corp’s major SaaS services and stole all their customer data.
In this series, we will dissect not just what an attacker can do to get access to credentials, but also what they would do after getting that initial access. We will walk through a different threat scenario in each part of the series and tell stories of malicious hackers that are either true, based on a true incident, or reasonably theoretical.
In today’s scenario, we have a threat actor that isn’t your run-of-the-mill, business-hacking, ransomware operation. This threat actor is after a large amount of money being dumped into the cryptocurrency market. Although most people wouldn’t recognize it, we are living in the peak age of stolen money. Ransomware aside, cybercriminals in the crypto space have made off with more money than the largest bank heists in history – all without the personal risk that comes with robbing a bank.
The crypto hacker in this scenario doesn’t make their money by exploiting crypto exchanges though… They have strong programming skills and an understanding of how the cryptocurrency market reacts to various events. Rather than go after the big fish, this criminal makes their money by scamming cryptocurrency investors.
To dupe people on a large scale, our crypto hacker finds random alternative crypto coins (altcoins) and uses the classic pump-and-dump methodology to steal money from investors. How do they find and trick these people? With disinformation operations.
Social media has been a big tool in the tool belt for our criminal, and for years they have been creating automated accounts to pump up engagement on videos and messages promoting their targeted altcoins. This has worked okay for them, but people are starting to get better at recognizing when there are no serious backers of these cryptocurrencies. To give their altcoin promotions more credibility, the crypto hacker decides to work on finding ways to hijack legitimate accounts.
Leaky mobile apps
To find account credentials, the crypto hacker decides to search for new credentials rather than purchase leaked databases on the dark web. They know that lots of software developers hard-code secrets like API keys and private keys in their code, so there’s lots of opportunity to find new accounts. Unfortunately for the hacker, though, many of the obvious places to find these secrets are already scrutinized. Instead of looking at common places like open-source code repositories, the hacker decides to go searching for API keys embedded in mobile apps.
First, the hacker writes a script to crawl the Internet Archive’s Android APKs, and then the script will extract all the files from each APK. From there, the hacker writes a script to scan each app with an open-source tool called TruffleHog. After days of scanning, organizing, and validating the results, the crypto hacker has found over 3,000 apps leaking Twitter secrets. How did those get there?
When a developer of an app is testing the Twitter API, they end up saving strings related to their account’s authentication to certain files that the app uses. Sometimes, the developer forgets to clean up these files before deploying the app!
Hijacked accounts love crypto!
Now the hacker has a bunch of legitimate accounts that they can use to promote their chosen altcoin. The scammer identifies their next target, an altcoin called BrrCoin, and they purchase a few thousand dollars worth of BrrCoin. Then, the crypto hacker begins to spread information about it on a bunch of platforms. On Twitter, the hacker uses the hijacked accounts to periodically like tweets about BrrCoin, leading followers of the hijacked accounts to be exposed to it.
Over time, the crypto hacker gets a lot of people to hear about and invest in BrrCoin. Eventually, the price of BrrCoin has gone up so much that the hacker’s initial investment has grown 100 times over what they put in. At that point, the crypto hacker pulls out of BrrCoin by transferring it with a more stable cryptocurrency, and they get ready for their next pump and dump operation.
Social media is a powerful tool for spreading information, and, like any tool, it can be used for good or for bad. If you write software that interacts with social media in any way, it’s important to protect yourself and your users from potential leakage of secrets. Scammers and nation states are always looking for ways to be more effective at disinformation operations on social media, and getting access to a bunch of real accounts would be a gold mine for these kinds of threat groups.
Analyzing the technical side of the story, our crypto hacker could find Twitter OAuth secrets by scanning tens of thousands of archived Android apps. Because the developers of the app forgot to clean up the secrets they generated when they were testing the Twitter API, the hacker was able to find their authentication strings and access the accounts that were used for testing.
Most developers know to use things like
.gitignore to ensure sensitive files don’t end up in the git history. However, they might forget that those files still exist when testing happens, and they may even get caught in the build and shipped with the app! If you automate testing and then build your app and the environment is the same for both steps, you should consider if there are any artifacts from your tests that could end up in your build. This doesn’t just apply to Android apps. Docker container builds are another potential avenue where this could happen on. If your Dockerfile contains the line
COPY . . to copy application files to the container, you should make sure that the directories you are copying only contain the files you expect them to. The moral of the story is this: always be conscious of where your secrets are stored and how they are used.