Keylogger can also be as source to reveal the User's details with the hacker. A User must be aware of such malicious activities and prevent themselves from losing their information. This section helps the user with ideas and plans from SME's to overcome the situation.
If the main deployment is compromised, then shutdown & re-deploy immediately.
Run anti-virus and anti-keylogger software to scan network devices.
Create an anti-phishing system that can capture the malicious activities such as code duplication and deploying in other environment. The User should be know that the code is not from original/official.
Isolate the compromised system in locked environment to perform RCA.
Monitoring service that polls the deployment and notifies key parties whenever the hosted code changes.
Remove the infected account in the GIT lab settings.
Inform all the users and employees that will be impacted by the attack.
Perform a rapid DNS switchover to site with "Down for Maintenance" status until deployment is recovered.
Chain analysis to find the number of affected users.
Contact GitLab for help.
Any possibilities to have a counter-cyber crime employee to hack the hackers?
Article about the hacker attack, https://decrypt.co/108015/nears-rainbow-bridge-blocks-another-attack-costing-hackers-5-ethereum
In order to find the solution/ to know in details about the risk that has happened, responder team is one to be communicated first.
Point of Contact: DEV or Network Ops
Point of Contact: Community Outreach though any User forum
The risks discussed in this document are,
NEX Open source Vulnerabilities
Key Logger, access to NEX deployment
Password manager hacked
SONs active keys exposed in configuration
If there is a possibilities that active keys getting exposed in the configuration, then the following ideas can be considered as a solution.
QA process to detect any key exposure
Proper code review has to be done before code merge to avoid conflict.
Process in place to cycle active keys.
Using active key of Operator account on server instead of SON account active key - Whether custom_permission can be used to limit the damage caused by any Key?
Can we make config files encrypted which can be accessed only via their own passphrase?
Is it possible to write SONs code not to be dependent on the active key ?
Any possibility to get certain config value comes from ENV variable?
Shut down SON, change the active key.
Vote out SON
Use Owner key to change the active key.
In order to find the solution/ to know in details about the risk that has happened, responder team is one to be communicated first.
Point of Contact: SON operator
Point of Contact: The community, who can vote out SON
NEX is an open source application which might paves way for any security threat. So, this section helps the user to have some ideas to overcome the issue.
Maintain a list of "endorsed" deployments (URL list) to capture any unauthorized deployment.
Audit all the code including smart contracts, sites regularly.
PEN Test run in the production environment related to NEX
Alert message the community about the invaders.
Any scope to build API nodes that can blacklist specific services.
In order to find the solution/ to know in details about the risk that has happened, responder team is one to be communicated first.
If any suspicious activities are observed, the observer can inform about it through any User forum. All the users must be informed about it.
Point of contact: DEV OPS, NEX devs
A strong password is always recommended to keep the accounts safe from hackers. Still, there are many software techniques in the industry to hack the password and use it against the owner. As the world is digitalized, crimes also getting smarter to acquire our wealth. In case, if the passwordr manag is hacked, the following ideas might be helpful in overcoming the situation.
Have back-up of all stored passwords.
Keep the high-profile passwords securely and don't save them in the password manager.
If cloud services are in use, then use self hosted backup.
Use a company hosted password manager (Bitwarden)and force 2FA as one of the factor.
User should use 2FA wherever possible.
Plan to change the password periodically.
Inform all employee who will be affected by this disruption.
Use back up to reset passwords of all account.
In order to find the solution/ to know in details about the risk that has happened, responder team is one to be communicated first.
The employee whose credential has be hacked, should first inform the details to the Team. So that, the action to stop the intruder can be taken care.
Point of contact: Rily
Point of contact:
DevOps
System Admin