How to Execute the Bybit $1.5B ETH Heist — An Attack Path for Offensive Security Operations in AWS
1 min read
Summary
On September 20, 2022, Bybit, a prominent cryptocurrency exchange platform, experienced a major security breach resulting in the loss of $150 million in digital assets.
Offensive security experts Zachxbt have investigated the breach and found that the attackers, believed to be the Lazarus Group, initially compromised the developer environment of Safe{WALLET}, a third-party vendor of Bybit.
From this initial access, the attackers were able to pivot to the AWS environment of Safe{WALLET}, where they found numerous misconfigurations that they exploited to further their access and finally steal the funds.
This post is a detailed post-mortem analysis of the Bybit attack, specifically the AWS portion of the attack.
It covers the attack path, how to gainwrite access to the S3 bucket, and several ways to escalate privileges in AWS to pivot access.
It’s important to learn from these incidents and to improve security practices to make us all safer.