Syscoin announced on official Github page the project’s official client had faced a malicious trojan attack. The post urged users who downloaded the software via GitHub between June 09, 2018 10:14 PM UTC & June 13, 2018 10:23 PM UTC to take immediate action.
The initial attack vector of the malicious software was a compromised GitHub account belonging to one of the team members, which allowed the perpetrators to gain admin level access and replace the official Windows client with a spiked version.
The altered client introduced by the hacker contained a relatively well-known piece of malicious software called Arkei Stealer, which targets users password and private keys of wallets stored on the local device. Fortunately, a scan from VirusTotal, an automatic virus database and aggregate cataloging service, shows that 44/67 of the major antivirus software vendors have already blacklisted the offending software, severely limiting its ability to spread any further.
Syscoin recommends that all windows users identify the installation date of their desktop cryptocurrency client and ensure that it does not fall between June 9 and June 13, 2018. Affected users are advised to backup their data to a clean storage medium, scan their system with an antivirus, change all passwords related to that machine using an uninfected device and migrate their funds to a newly generated encrypted wallet on a clean machine.
Syscoin Tightens Up Security in Response
The Syscoin team has taken steps to ensure that this kind of attack does not happen again by requiring all Block Foundry Staff and Syscoin Developers to enable two-factor authentication for accessing accounts, perform routine verification of signature hashing and work with Github to ensure users will be able to detect altered binaries.
While many people may be familiar with 2FA from their experience logging in with major cryptocurrency exchanges. Syscoins implementation of signature hashes, through the use of the open source tool Gitian, requires some exploration.
Multifactor Checksum Validation
When developers publish software, they often accompany their release with a checksum — using MD5 or SHA using a hashing algorithm — creating a unique string that acts a signature for that version of the program. This allows users to download the ‘published’ software, run the same hashing algorithm and cross-reference their results with developers while ensuring the data they downloaded is identical to the software publisher.
Gitian, developed by the pseudonymous Dev Random alongside other members of the Bitcoin core community, takes this concept of verifiably secure and trusted code to a new level.
Due to the complexities of compiling human-readable code into binary, it is often the case that two developers compiling identical code will create slightly different binary, resulting in dramatically different checksums.
Gitian creates a replicable working environment across multiple machines by running a Virtual Machine inside of another Virtual Machine, allowing multiple developers to cross-reference each others code and compile binary with the relative certainty that it will be identical across all devices. In the circumstance someone introduces malicious code — intentionally or otherwise — another team member will be able to identify who created it and diagnose the issue quickly.
The scale of those affected by the Syscoin hack has yet to be determined, however, the team’s rapid reaction in notifying the broader security community and their steps taking in locking down the project’s production pipeline are hopeful signs of an impenetrable future to come.