SealBlock publishes security report on its hot wallet solution
Since the launch of the SealBlock Security Bounty Program, SealBlock hot wallets have been aggressively pen-tested by hackers and white-hat researchers from all over the world. Our team has observed more than 47,000 attacks from over 2,400 different IP addresses, none of which successfully transferred any cryptocurrency out of the platform. These real attack results provide an important data set for SealBlock to verify its wallet security technology. They also greatly enhance the confidence of customers and the public on the security strength of SealBlock solutions. The SealBlock technical team recently conducted a detailed analysis of the attack traffic and generated following technical report.
- Background
On December 21, 2018, SealBlock officially launched the SealBlock Security Bounty Program. SealBlock deposited crypto assets with a total value of more than $10,000 into the bounty hot wallet service and allowed anyone in the world to pen-test it. As the program proceeded, SealBlock continued to add more cryptocurrency to the bounty wallet, whose value has exceeded $50,000 today. SealBlock encourages any user, developer, or white-hat hacker to pen-test the bounty wallets and legally take the cryptocurrency stored there. More information about the program can be found here: https://medium.com/@sealblockio/sealblock-security-bug-bounty-program-398d634a0d5a
2. Overview
This report analyzed the web traffic on the hot wallet service from December 21, 2018 to June 12, 2019. Our security staff carefully examined the traffic and discovered a total of 47,633 attack attempts from 2,465 different IP addresses.
By looking up the geolocation of the attacker IPs, we found that they were from different regions or countries around the world, mainly from Asia, Europe, America and Africa.
Further analysis shows that most attacker IPs come from the United States, accounting for 28.6 percent of total IPs, followed by China, accounting for 28.4 percent, with France and Germany ranking the third and fourth. The detailed distribution of the geolocation of the IPs is shown below.
We are also interested in knowing how many attack attempts are issued from different geo locations based on the IP addresses. We found that IP addresses from China attempted 27, 000 times, followed by the United States with more than 4, 000, and Thailand and Korea with more than 1, 000 each. The figure below details the geo location distribution of the attack attempts.
3. Anatomy of the Attacks
The team looked further into the attack traffic to gain more insights about the attacks. Below we summarize what we have observed about the characteristics:
a. Leveraging vulnerabilities
We found that attackers would test SealBlock hot wallet service for various known vulnerabilities. In the analysis, we found following vulnerabilities have been tested:
1) Modx Revolution bug
2) Router bugs
3) Remote code bug of WLS component in Oracle WebLogic
4) CGI public network interface bug
5) Modx Revolution remote code execution bug
6) ThinkPHP5 remote code execution bug
7) Drupal remote code execution bug
8) WebLogic arbitrary file upload bug
9) Struts2 S2–057 remote code execution bug
10) Ssrf bug in DVR devices that do not require user login(camera attack)
11) JBoss AS 3/4/5/6 — remote execution command
12) Malicious proxy for router UPnP bug
13) ColdFusion arbitrary file upload bug
14) FCKeditor file upload bug
15) Tomcat PUT(CVE-2017–12615)arbitrary file upload bug
16) Struts2–045 bug
17) WebLogic WSAT component RCE bug
b. Weak authentication
Attackers would try to find various pages that can be accessed with weak or no passwords. We found following scenarios have been tested by attackers:
1) Try to access the mysql web administration tool
2) User management interface(tomcat)
3) Check to see if ColdFusion is open for login
4) Try wordpress to access the administration page
5) Try JBoss server /invoker/JMXInvokerServlet/ interface opening to the public
6) Try to obtain system information
7) Try to turn on a remote procedure call
8) Try remote shell downloads
9) Try to access the php configuration file
10) Try to access the specified directory
11) Try to access joomla
12) Try to access asp website
13) Try to access nginx
c. Scanning tools
Attackers would use a variety of scanning tools to scan the SealBlock hot wallets in hopes of finding a way to successfully attack it. Scanning tools found so far include:
1) ZmEu bug scanning
2) Metasploit bug scanning
3) Nmap scanning
4) Shodan scanning
5) Unknown scanning tool
4. Conclusion
SealBlock hot wallet successfully defeated more than 47,000 attacks from all over the world over a period of six months. None of the crypto assets have been stolen. This strongly demonstrates that SealBlock hot wallet is indeed a very secure solution for the industry.
About SealBlock
SealBlock is a blockchain security project originated from Silicon Valley in the United States. The core team members are from Microsoft Research Institute, Tsinghua University, Cheung Kong Graduate School of Business, etc. They have rich experience in trusted computing, hardware encryption, and blockchain finance. Based on the next generation of hardware trusted computing technology, the SealBlock project builds the blockchain cryptocurrency infrastructure services platform with a level of security against even malicious insiders and high convenience for real-time online transactions. It has released the first enterprise-grade digital asset hot wallet solution in the industry and has provided digital asset security management services for many exchanges and mining facilities.
SKT, the utility token of the SealBlock platform, has been listed on EtherFlyer and Bilaxy exchanges:
EtherFlyer: https://www.etherflyer.com/trade.html?pairs=SKT-ETH
