1. DNS/乗取/cream.finance

cream.finance はレジストラをcloudflareに変更したらしい。-- ToshinoriMaeno 2021-03-21 01:45:31 /whois

Cream Finance Criticizes GoDaddy for DNS Attack https://tokenhell.com/cream-finance-criticizes-godaddy-for-dns-attack/

1.1. Postmortem

Postmortem Report of DNS Hijacking https://medium.com/cream-finance/postmortem-report-of-dns-hijacking-66ab9c6ce63d

日本語(訳?)には誤訳がある。 -- ToshinoriMaeno 2021-03-20 02:39:47

Godaddyの調査待ちか。

1.2. Timeline

(in Taipei time, UTC +8)

    3/15, 7:30 pm: The website was down; users reported website outage.
    3/15, 7:34 pm: GoDaddy DNS CNAME record not pointing to our hosting IP, consistent with the website outage.
    3/15, 7:35 pm: Updated DNS A record to the correct IP; Began root cause analysis. Noticed the phishing page for the first time.
    3/15, 7:43 pm: Noticed DNS cache pollution, consistent with user reports; Began DNS migration to Cloudflare.
    3/15, 8:23 pm: Discovered that our GoDaddy login credentials were compromised and could not log in.
    3/15, 8:45 pm: While attempting to regain access to our GoDaddy account, we contacted our friends at CoinGecko, CoinMarketCap and imToken to update our website link and put up warning messages.
    3/15, 8:55 pm: We set up a war room on Telegram to meet and discuss how to recover our DNS while keeping users funds safe.
    3/15, 9:10 pm: We announced on Twitter that our domain was hijacked and warned users not to provide seed phrase to anyone.
    3/15, 10:27 pm: PancakeSwap tweeted that their website was down too, and they suspected that they encountered a similar situation like us.
    3/15, 11:00 pm: We put up two alternative websites for user to continue using C.R.E.A.M. Finance.
    3/16, 00:49 am: We reclaimed the ownership of domain with the help of GoDaddy, and started to recover the service and ensure the security.
    3/16, 01:48 am: Website returned to normal, while some regions were still affected as DNS propagation continued.
    3/16, 02:26 am: We announced on Twitter that we reclaimed domain ownership.

1.3. How It Affected Our Users

Our smart contracts remain safe along with user funds throughout this attack. The DNS hijacking only affected our website, and has nothing to do with our contracts. C.R.E.A.M. Finance user funds were SAFU throughout the event.

1.4. Investigation Progress

After bringing back the service, we’ve spent some time investigating how the attacker hijacked our DNS, and this is what we know:

We use Google SSO to access our GoDaddy account.
    No username or password could have been used to access our GoDaddy account.
    According to activity log, our Google account was never compromised.

The first unusual behavior in GoDaddy activity log is a password reset request 
    sent to attacker’s email address, but there is no record of email address change.

We reproduced the scenario and found that if we sign in GoDaddy with Google account and change the email address, there would be a record of email address change, which is not what we experienced.
    We can access only part of the activity log on GoDaddy. Unexpected error shows up when we try to access all the logs.

PancakeSwap also used GoDaddy, and they confirm that it’s the same attacker IP
in both of our activity logs.

We will update this post with any additional findings as they become available.

1.5. Final Words

Please remember that we will never ask you to submit any private key or seed phrases! We appreciate your patience throughout this process, and thank you all for being part of the C.R.E.A.M community.

1.6. レジストラの責任

レジストラ上の cream.finance アカウントが盗まれて、NSなどが書換えられたことは記録にある。

問題はどうやってアカウントを盗んだか。単純なパスワード漏洩であれば、cream側の責任ということも考えられるが、 そうではなさそう。

なんにしても、レジストラ上の記録を精査することではっきりするだろう。 その報告がないとしたら、レジストラの責任は免れない。

-- ToshinoriMaeno 2021-03-20 11:58:27

MoinQ: DNS/乗取/cream.finance (last edited 2021-03-26 02:23:34 by ToshinoriMaeno)