As the opening ceremony of the 2024 Paris Summer Olympics fast approaches, organizers are immersed in intense preparations on the cyber front. Such a prominent, international event makes for a vast attack surface that holds enticing opportunities for cybercriminals.

As it stands, the 2024 Olympic and Paralympics are currently projected to boast a count of 9.7 million spectators across 40 official sites. While France will enjoy the global spotlight for nearly two months, every aspect of planning and hosting the Games requires cybersecurity to be a top priority for the organizers.

In this blog post, we discuss the evolution of cyber threats that have played out over the last two decades and how they will inform the digital security of this year’s Games, including threat techniques, current geopolitical motivations, and effective countermeasures available.

A Timeline of Attacks

The spirit of competition and athletic celebration may unfold on Olympic grounds, but another type of race between threat actors and cybersecurity teams runs parallel, away from the main stages. Cybersecurity threats and attacks have loomed over the past two decades’ worth of Games, affecting athletes, attendees, and the underlying digital infrastructure that sustains the Olympics. Here are some of the most infamous cyber activities from the past seven Games showcasing various cyber challenges that Paris game planners may face:

2008 Summer Olympics (Beijing, China)

The Beijing 2008 Olympic Games marked the first instance of publicly reported malicious cyber operations during the Olympics. A cyber espionage campaign known as “Operation Shady Rat” targeted the International Olympic Committee (IOC) and various Western and Asian Olympic Committees. Possibly focused on information gathering, this campaign spanned from 2006 to 2011 and included the targeting of the World Anti-Doping Agency (WADA) in August 2009. Although the ultimate goal is still unclear, the operation has been associated with Chinese state-sponsored cyber activities.

The Beijing Olympics also witnessed lucrative malicious operations, including fraudulent ticket websites, spear phishing, and deceptive streaming platforms. These activities were attributed to opportunistic intrusion efforts, all capitalizing on the illicit money-making opportunities presented by the major event.

2012 Summer Olympics (London, United Kingdom)

While cyber incidents had been observed in previous editions, the 2012 London Olympics brought the notion of cyber threats into sharp focus for the Olympic community. Of the 212 million cyberattacks mounted during the event, a notable 40-minute distributed denial-of-service (DDoS) attack disrupted the power systems of the Olympic Park on the second day of the Games.

Opportunistic actors also engaged in lucrative malicious operations that impacted the public, employing phishing campaigns that enticed individuals with a chance to win free airline tickets for the London Summer Olympic Games by participating in a fake survey.

2014 Winter Olympics (Sochi, Russia)

Leading up to the Sochi Olympics, there were indications of cyber threats, raising concerns about the security of IT systems. Reports shortly surfaced that cyber espionage activities were targeting various organizations associated with the Olympics. The U.S. State Department issued a travel alert for the 2014 Sochi Winter Olympics, cautioning U.S. travelers about cybersecurity threats in the region. The alert specifically advised individuals to exercise caution when sharing sensitive or personal information on Russian electronic communication networks.

Following the Winter Olympics in Russia, an open-source report highlighted a cyber espionage campaign, accusing Russian intelligence services of gathering information on Olympic organizations, judges, journalists, spectators, and athletes.

2016 Summer Olympics (Rio de Janeiro, Brazil)

Before the Rio Olympics, concerns were voiced regarding the security of IT systems, including the potential for DDoS attacks. While the event itself did not witness any significant cybersecurity incidents reported, affiliated organizations saw a series of long-duration (540 Gbps) DDoS attacks in the months leading up to the Games.

Also of note, a sophisticated cyberespionage campaign orchestrated by APT28, an intrusion set associated with Russian military intelligence (GRU), was revealed by the World Anti-Doping Agency (WADA) two months after the Games. Hacktivist groups, including Anonymous Brazil, played a role in campaigns targeting the Brazilian Federal government and the Ministry of Sports, resulting in the exposure of personal and financial data.

Anonymous Brazil voiced grievances against the Games, citing insufficient investments in favelas and excessive spending on Rio 2016. Additionally, cybercrime operations targeted the public and organizations affiliated with the Rio Olympics, with security analysts noting an 83% increase in phishing URLs in Brazil before the Olympics, compared to a 13% increase globally.

2018 Winter Olympics (Pyeongchang, South Korea)

The opening ceremony of the Pyeongchang Winter Olympics witnessed a significant cyber attack that disrupted the event’s IT systems, including Wi-Fi, ticketing, and the official website. This attack was strategically designed to create chaos by destroying data and disrupting essential operations.

Executed through the malicious worm dubbed “Olympic Destroyer”, the official Olympic website was taken offline and the Wi-Fi service within the stadium was rendered inoperable. As well, live broadcast systems faced disruptions, leading to the denial of access to ticket printing for many spectators during the opening ceremony.

2021 Summer Olympics (Tokyo, Japan)

The Tokyo Olympics, rescheduled by a year due to the COVID-19 pandemic, emerged as a lucrative target for cyber attacks. The event witnessed a staggering 450 million cyber threats, a figure two and a half times higher than the reported number of cyberattacks during the London Olympics in 2012. Most notably, researchers uncovered a phishing attempt during the Tokyo Olympics, where cybercriminals were selling the “Olympic Games Official Token”. Invention of this fake “token” revealed that cyber criminals were testing new and sophisticated schemes to target individuals.

A year before the Games, reports of an espionage campaign attributed to the GRU-linked Sandworm APT, targeting officials and organizations involved in the Tokyo Olympics. In addition, threat actors sought to deploy wipers configured to specifically target Japanese-set computers and erase sensitive files.

2022 Winter Olympics (Beijing, China)

Prior to the Winter Olympics, the FBI recommended that athletes use temporary cell phones instead of personal devices, cautioning against the use of personal data on these temporary devices. Researchers identified vulnerabilities in the Chinese application My2022, mandatory for all attendees to install on their mobile devices during the Olympics. Exploiting these vulnerabilities could potentially grant access to personal and medical data.

Understanding the Geopolitical Discord Amongst Olympic Participants

Geopolitical tensions cast a profound shadow of influence on the Olympic Games, significantly impacting both the event’s dynamics and its cybersecurity landscape. Since the Olympics provide a global stage, it often becomes a battleground for nations to express political ideologies, ambitions, and conflicts.

Heightened geopolitical tensions amplify the attractiveness of the Olympics as a target for cyber threats. State-sponsored actors often exploit vulnerabilities in digital infrastructures to extend their target far beyond the organizing committees to reach athletes, spectators, and affiliated organizations, too.

Impact of the Russian War on Ukraine

Between 2018 and 2022, Russia faced an Olympic ban, preventing its participation under its national flag due to a state-sponsored doping scheme involving Russian athletes during the 2014 Sochi Games. This ban mirrored the decision taken by the International Olympic Committee (IOC) and the World Anti-Doping Agency (WADA) in 2014, which resonates in the 2024 Paris Olympics ban on Russia and Belarus following their 2022 invasion of Ukraine.

The suspension of the Russian Olympic Committee resulted from its oversight of sport organizations in four occupied Ukrainian regions. While Russia and Belarus athletes are permitted by the IOC to compete as “Neutral Individual Athletes”, geopolitical tensions raise concerns about potential retaliatory cyber operations.

Amidst France’s support for Ukraine in its defensive stance against Russia, there’s a looming possibility that the 2024 Paris Olympics could become a target for Russian and/or Belarus cyber operations. These operations, acting as potential retaliation measures, might come to pass as acts of disruption and sabotage with the aim of undermining France’s international reputation.

Impact of the Azerbaijan-Armenia Border Conflict

France’s involvement in the Azerbaijan-Armenia (Nagorno-Karabakh) conflict has faced criticism from Azerbaijan for its perceived bias towards Armenia. In November 2023, French state digital watchdog, Vignium, linked a disinformation campaign smearing the Paris 2024 Olympic games to Azerbaijani-based actors. Their investigation in late July was prompted by the widespread sharing on X of visuals urging a boycott of the 2024 Olympics.

The campaign utilized images depicting riots, the city of Paris, and the Olympic Games logo, employing three official X accounts of the Games and two hashtags, #paris2024 and #boycottparis2024. Between July 26 and 27, over 1,600 posts featuring these visuals or hashtags surfaced on X, with around 90 accounts believed to be involved in what the report called “artificial amplification”.

The Risks Targeting the Olympic Podium

Since at least Beijing 2008, past Olympic Games have become targets for offensive cyber operations, driven by motives ranging from cyber espionage, destabilization, or economic gain. The upcoming Paris 2024 Games could face a spectrum of malicious cyber operations, ranging from campaigns focused on destabilization, through influence campaigns, malware, and data extortion, to those centered on disruption, including DDoS attacks and disinformation.

Persistent cyber crimes also pose an ongoing risk to the Olympics. These opportunistic crimes exploit the event’s popularity, targeting diverse victims, from the general public to partners and organizers. Lucrative campaigns enticing spectators are much more likely to dish out Olympics-themed phishing, malicious apps, and typosquatted websites mimicking platforms related to reselling, ticketing, or betting activities.

What Solutions Are In Place to Protect the Paris 2024 Games?

To counter the growing concerns for cyberattacks, French authorities are taking concerted measures to secure this year’s Games. Notably, the ANSSI cybersecurity agency is set to collaborate with its Japanese counterpart, the NISC (National Center of Incident Readiness and Strategy for Cybersecurity). This partnership fosters improved dialogue and the exchange of cybersecurity insights, drawing from experiences in other major sporting events.

The COJO (Organizing Committee for the Olympic Games) has also rolled out a cybersecurity strategy based on four pillars: education, training, anticipation, and coordination. Other key parts of their defenses include:

• Awareness-raising events – According to Franz Regul, CISO for the Paris 2024 Games, training courses promoting cyber awareness will be set to combat phishing, spam, online scams which represent the initial means of compromise to 80% of cyberattacks.
• Security Operations Center (SOC) – The newly established SOC will be tasked with continuously monitoring all Olympic digital ecosystems. SO far, ANSSI has budgeted 17 million euros towards SOC services, which will revolve around nearly 12000 workstations spread across security sites for the duration of the Games.
• AI-based tools – The SOC will use AI-based tools to detect signs of suspicious or malicious activity, track signs of compromise, and orchestrate incident response.
• Olympic Management System (OMS) – The OMS manages access to events with all requests submitted to the Service National des Enquêtes Administratives de Sécurité (SNEAS) for final approval and badge issuing.
• Olympic Diffusion Systems (ODS) – This application is dedicated to disseminating information and results in real time to the media and spectators to avoid any misinformation.
• Improved ticket sales policies –
  • A hopeful buyer has only 48 hours to buy their ticket after being selected by random draw in order to streamline online traffic. Only 30 tickets may be purchased per account to mitigate mass resales.
  • All resales must be conducted via the official resale site to prevent forgery and manage existing tickets.
  • Tickets are 100% digital and will only be sent to purchasers a few weeks before the start of the event.

Applying Cybersecurity Lessons Learned for Paris 2024

For Paris 2024, preparing for cybersecurity threats involves a multi-faceted approach combining a mix of infrastructure security, data protection, and collaboration.

Infrastructure & Network Security

The IT infrastructure of the Paris 2024 Olympics includes a complex network of systems handling everything from scoring and timing to broadcasting and ticketing. Protecting this infrastructure involves deploying advanced network security solutions, including intrusion detection systems, firewalls, and real-time monitoring tools through security operation centers (SOCs).

Data Protection & Privacy

With the vast amount of personal data processed during the Olympics, including that of athletes, officials, and spectators, data protection and privacy are critical. This involves implementing stringent data security measures, such as advanced encryption, robust access controls, and continuous monitoring for data breaches. Compliance with international data protection regulations, such as the GDPR, is also crucial.

Global Cybersecurity Alliances

Cybersecurity for such a massive event cannot be siloed. Collaboration among various international entities, including cybersecurity firms, government agencies, and international sports bodies, is essential. This collaboration involves sharing intelligence on emerging cyber threats and best practices for mitigation.

The organizing committee of Paris 2024 is working in tandem with international cybersecurity organizations, leveraging their expertise and resources. These alliances enable the sharing of intelligence on emerging cyber threats and coordinated responses to potential attacks.

Advanced Cyber Defense Technologies

In anticipation of the 2024 Summer Olympics, Paris is gearing up for heightened, AI-based technological surveillance. The French government will be deploying an extensive network of cameras integrated with artificial intelligence (AI) tasked to closely watch over crowds and public areas and alert authorities to any signs of suspicious activity.

The recently approved Loi JO 2024 legislation, enacted earlier in 2023 permits the real-time application of algorithmic analysis to camera footage, enabling the identification of predetermined events that may pose a threat to public order. The surveillance system is slated to operate until March 2025, extending its functionality for six months after the close of the Games.

Simulation & Response Planning

GICAT (Group of French Industries for Land and Air-land Defense and Security), one of many tech solution providers associated with the Games, has confirmed nearly eight billion cybersecurity tests. These simulations, often referred to as red teaming, involve mimicking real-world cyberattacks to test the resilience of the cybersecurity infrastructure. This proactive approach allows the cybersecurity team to identify vulnerabilities and refine their response strategies, ensuring they are well-prepared for various attack scenarios.

Conclusion

The cybersecurity framework for Paris 2024 is not just about safeguarding IT infrastructure; it’s about protecting the very essence of the Olympic spirit — fair play, honor, and global unity. Cyber threats not only pose a risk to the operational aspects of the Games but also threaten the safety and privacy of the participants and spectators.

The Paris 2024 Olympics presents a unique set of challenges and opportunities in cybersecurity. As we move closer to this international spectacle, security leaders and game organizations will continue to glean the lessons learned from past Olympics and prepare for both opportunities and advanced persistent threats.

SentinelOne is trusted by global enterprises and organizations responsible for safeguarding large-scale events with complex security requirements. To learn more about how SentinelOne protects digital ecosystems through AI-driven detection and response capabilities, deep visibility, and data enrichment, contact us today or book a demo.

The Good | Multimillion Dollar Cryptojacking Scammer Arrested In Joint Europol Operation

After creating a million virtual servers to mine €1.8 million in stolen cryptocurrency, the kingpin behind the illicit operation has been apprehended in their native Ukraine. The 29-year old individual stands accused of orchestrating a sophisticated cryptojacking scheme before being caught by the National Police of Ukraine, assisted by Europol and an unnamed cloud service provider.

The joint investigation began in January 2023 when a cloud provider informed Europol about compromised user accounts. The agency shared this intelligence with Ukrainian authorities,  with reports noting that the accused had been infecting a prominent e-commerce company’s servers with a miner virus since at least 2021, utilizing custom brute-force tools to infiltrate 1,500 accounts.

Subsequently, the hacker accessed the service’s management through the compromised accounts, creating over one million virtual computers to sustain the cryptojacking operation. Ukrainian authorities confirmed that the suspect utilized TON cryptocurrency wallets to transfer the illicit proceeds.

Cryptojacking involves the unauthorized use of a victim’s computing resources to mine cryptocurrencies. In cloud environments, attackers typically gain access through compromised credentials and installing miners that leverage the host’s processing power for mining without consent. This allows the attacker to sidestep the usual fees associated with mining infrastructure through the abuse of free trials or by compromising legitimate tenants.

Given that cryptojackers often exploit flaws in cloud platforms for initial compromise, maintaining continuous monitoring methods and regular patch management can help safeguard systems against external threats. To guard against crypto-centric attacks, look for unusual activity such as irregular spikes in resource usage and consider implementing role based access control and zero-trust policies to protect administrative privileges from abuse.

The Bad | High Profile Victims Plunged Into New Custom COLDRIVER Phishing Malware

The next iteration of a Russia-linked threat actor dubbed COLDRIVER has surfaced, delivering its first-ever custom malware coded in Rust to extend past its usual credential harvesting tradecraft.

In the latest report on their tactics, COLDRIVER’s evolution uses PDFs as decoy documents to initiate the infection sequence. Sent from impersonation accounts, the PDFs are aimed to engage high-profile targets in the U.K., U.S., and other NATO countries, as well as those neighboring Russia.

The documents are disguised as op-eds or articles seeking feedback and display encrypted text to the recipient. This is meant to prompt the victim into replying that the document cannot be read, after which the threat actor provides a malicious link to a supposed-decryptor tool called Proton-decrypter.exe.

The decryption tool is actually a backdoor named SPICA, marking COLDRIVER’s first custom malware. SPICA employs JSON over WebSockets for command-and-control (C2), then enabling the execution of commands, cookie theft from web browsers, file uploading and downloading, and file enumeration and exfiltration.

Security researchers note that there is currently no visibility into how many victims have been successfully compromised with SPICA as it has only been used in limited, targeted attacks. So far through, all victims are from critical sectors including NGOs, defense, academia, think tanks, and energy facilities.

This development follows the recent sanctioning of two Russian nationals associated with COLDRIVER. The threat actors have been active since 2015 and continue to focus on open-source intelligence (OSINT) and social engineering skills to develop their spear-phishing attacks. As of December 2023, U.S. authorities are offering a $10 million reward for information leading to the arrest of COLDRIVER members.

The Ugly | Citrix Customers Urged to Patch Against Two Exploited Zero-Day Vulnerabilities

Citrix NetScaler ADC and NetScaler Gateway customers were warned this week of two zero-day vulnerabilities being actively exploited in the wild. The first of the two, tracked as CVE-2023-6548 with a CVSS score of 5.5, is a code injection flaw that allows authenticated (low privilege) remote code execution (RCE) on Management Interface. The second, tracked as CVE-2023-6549 with a CVSS score of 8.2, is a buffer overflow flaw that could be exploited for denial of service (DoS) attacks if the appliance is configured as a Gateway or authorization and accounting, or AAA, virtual server.

Citrix’s security notice urges NetScaler ADC and NetScaler Gateway version 12.1 users to upgrade their appliances to a supported version that patches the flaws. Users that cannot deploy the updates immediately are advised to remove exposure of the management interface to the internet to reduce the risk of exploitation and block network traffic to affected instances. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.

CVE-2023-6548 & 6549: Two new Citrix Netscaler zero-days exploited in attacks https://t.co/Q75ll4yjtK

— Nicolas Krassas (@Dinosn) January 17, 2024

CISA has mandated U.S. federal agencies to secure their systems against both Citrix vulnerabilities, emphasizing the high risk they pose to federal enterprise security. The directive requires patching CVE-2023-6548 by January 24 while CVE-2023-6549 must be mitigated within three weeks by February 7. While the directive applies to federal agencies, CISA encourages all organizations, including private companies, to prioritize patching these listed vulnerabilities. Not three months ago, another Citrix flaw dubbed “Citrix Bleed” (tracked as CVE-2023-4966) made headlines after being leveraged by notorious ransomware affiliates of the LockBit group to attack government organizations and high-value tech companies worldwide.

For the third year in a row, SentinelOne has again been recognized as a Leader in the 2023 Gartner Magic Quadrant for Endpoint Protection Platforms. At SentinelOne, our priority is to keep our customers safe with continuous innovation, and Gartner’s recognition reflects our distinctive, leading ability to protect the entire enterprise from evolving threats like ransomware.

Since disrupting the EDR market with our AI-powered Singularity Platform, we’ve continued to lead the industry in comprehensive security, protecting organizations of all sizes across any endpoint, on every cloud, and for every operating system. Supercharged with Purple AI and threat intelligence, complemented by a robust portfolio of managed services, and built on top of the most performative Data Lake in the market, SentinelOne’s Singularity Platform empowers customers with the most powerful security solution available today.

With Singularity Endpoint, customers gain best-in-class endpoint protection and a central, unified portal to manage configurations and real-time monitoring. Let’s take a closer look at what this recognition tells customers about SentinelOne.

Rapid, Endpoint Security Innovation

Proven innovation with best-in-class endpoint protection, detection, and response. Challenged by sophisticated attackers and tasked with protecting an ever-expanding digital footprint, security teams need to seamlessly understand and protect the entire attack surface against breaches.

SentinelOne’s unique single agent provides dynamic device discovery, and our unified console provides analysts with unmatched visibility, vulnerability management, real-time monitoring, rollback capabilities, and advanced deception tools.

AI-Powered EDR

AI-powered autonomous detection and response against malware, ransomware, and emergent threats across all potential attack paths. Accelerate incident resolution so security teams can focus on critical risks and proactive posture management.

At SentinelOne, AI has been central in everything we do from the start – built into detections, our intelligence, and our agent. Now, with Purple AI, the industry’s first AI security solution, every analyst is also empowered to detect threats earlier, respond faster, and stay ahead of attackers.

One Unified, Central Data Lake

Security is a team sport, but it is also a big data sport. Singularity Data Lake forms the backbone of every SentinelOne product – ensuring a robust, scalable, predictable, and cost-effective solution to ingestion, normalization, and retention.

Wrangling data is one thing, but visualization is the key to unlocking critical trends and insights in your data. The Singularity Platform provides security and log analytics capabilities in one centralized platform – the only true unified security analytics platform in the market – capable of combining SIEM, XDR, EDR, and Cloud in a single experience.

Protect the Entire Enterprise

While the endpoint remains a targeted entry-point for many attackers, as threats such as ransomware continue to increase in frequency, speed, and complexity, organizations can no longer think of security in silos. Integration is key to protecting the perimeter and SentinelOne remains committed to providing customers with solutions to protect the entire enterprise.

The Singularity Platform spans endpoint, cloud, data, and identity and enriches investigations with threat intelligence and the power of generative AI. As evidenced by the 2023 Gartner Magic Quadrant for Endpoint Protection Platforms, SentinelOne continues to grow and scale, leading in innovation and vision and further developing the solid foundation of secure business that customers know and trust.

Our platform’s versatility is also evident in the industry’s broadest platform support which include:

• Windows: From legacy systems like Windows XP to the latest Windows Pro and Windows Server editions, we ensure robust protection against evolving threats in the most widely used operating system.
• macOS: Recognizing the growing popularity of Apple’s macOS in enterprise environments, we have a long-track record of emphasizing protection for this operating system. We are proud of our macOS advanced security features tailored to its unique ecosystem.
• Linux: Our platform extends to numerous Linux families, catering to the diverse needs of Linux users and administrators, with special attention to enterprise-level deployments and server environments.
• Android and iOS: In the mobile domain, we cover both Android and iOS platforms, acknowledging the critical role smartphones and tablets play in today’s business operations.
• eBPF for Linux: Embracing the cutting-edge extended Berkeley Packet Filter (eBPF) technology, we provide enhanced security measures for modern Linux systems, ensuring high performance and advanced capabilities.
• NetApp ONTAP: For businesses leveraging NetApp’s data management solutions, our security extends to the ONTAP operating system, safeguarding critical data storage and management activities.
• Cloud Platforms: We offer specialized protections for cloud-based environments, including those running on AWS, Azure, and Google Cloud Platform, ensuring a secure cloud presence.

A Trusted Partner to Businesses Around the Globe

More than 11,500 organizations around the globe trust SentinelOne as their partner for security – including Fortune 10, Fortune 500, and Global 2000 companies. That’s why we’re so proud of being one of the highest-ranked vendors in the 2023 Gartner Peer Insights Voice of the Customer Endpoint Protection Platforms and recognized as a “2023 Customer’s Choice.”

Learn more about the Singularity Platform and how SentinelOne can help your business accelerate securely into the future knowing that the tools are in place to prevent breaches. Request a demo today and see how the industry’s only true Security Operations Center is ready for the challenges of today, and tomorrow, empowering your teams to operate at machine-speed and global, cloud scale.

A recent wave of Twitter/X account takeover attacks has seen multiple high-profile social media accounts compromised and used to spread malicious content aimed at stealing cryptocurrency.  The attacks use a family of malware known as crypto-drainers and often supplied through Drainer-as-a-Service (DaaS) platforms.  Some recent high-profile victims include the SEC and Mandiant.

Crypto Drainers and Drainers as a Service have received little attention from security researchers to date despite having been around since at least 2021. In this post, we turn the spotlight on Crypto Drainers and DaaS to raise awareness of this family of threats and how it impacts organizations.

Introduction to DaaS and Crypto Drainers

A crypto drainer is a malicious tool or script that is specially designed to transfer or redirect cryptocurrency from a victim’s wallet to that under the control of an attacker. Drainers targeting MetaMask first appeared around 2021, where they were openly marketed in underground forums and marketplaces.

However, drainers and drainer-style attacks can exist in several forms. Malicious smart contracts may contain hidden functionality to trigger unauthorized transfers. Other forms of drainers may exploit NFT or Token-based triggers to generate fake resources that in turn facilitate the hidden and unauthorized transfer of cryptocurrencies.

Crypto drainers are often provided through a Drainer-as-a-Service model, with DaaS vendors offering software and support to cybercriminals for a percentage of the stolen funds. Services typically offered by a modern DaaS include

1. Turnkey crypto-draining scripts
2. Customizable smart contracts
3. Phishing kits and social engineering services
4. Premium OPSEC or security and anonymity services
5. Integration assistance and mixing/obfuscation
6. Ongoing updates, maintenance and technical support.

Turnkey or ready-to-use crypto draining scripts, for example, are used to facilitate the automation of draining cryptocurrency from target wallets. They are structured to be simple to understand and deploy, with little to no previous knowledge required.

The stolen cryptocurrency is split between affiliates (users of the DaaS) and the Daas operators. Typically operators take anywhere between 5% and 25% of the cut, depending on the services provided.

The Threat of Account Takeover Attacks

Crypto draining can be hugely profitable for threat actors when they successfully take over high-profile social media accounts and use these to push malicious content to large audiences from what appears to be a trusted source as recently happened to Mandiant and the U.S. Securities and Exchange Commission.

Other high-profile account takeovers include CertiK and Bloomberg Crypto. In late December, it was reported that a crypto drainer stole $59 million from 63,000 individuals using over 10,000 phishing websites.

These attacks typically begin with a brute-force password attack. This involves systematically attempting all possible passwords until the correct one is found. Accounts that lack 2FA or MFA are particularly vulnerable to this kind of attack.

Once an attacker gains access to the account, they are able to distribute phishing links to websites hosting drainers. For example, they may post content from the account offering free NFTs or other rewards to people who visit the site and sign a transaction. Unwitting victims, believing they will receive something of worth, are all too ready to connect their wallets, little knowing that the site contains a drainer script to empty their wallets.

Attackers use platforms like X, Telegram and Discord to spread their phishing links, leveraging the trust and reach of the respected but compromised accounts to target more victims.

Anatomy of an Attack | the CLINKSINK Drainer

In the Mandiant incident, attackers used malware called CLINKSINK, an obfuscated JavaScript drainer lying in wait for victims who fell for phishing links with cryptocurrency-themed lures. These lures often masquerade as legitimate cryptocurrency resources including BONK, DappRadar and Phantom.

Victims are enticed to connect their wallets in order to claim an ‘airdrop’ – a distribution of tokens or coins to other wallet addresses as a reward or promotion. They are then asked to sign a ‘transaction’ to complete the transfer. This is the crucial step for the crypto thieves as it involves the victim using their private key to authenticate themselves on the blockchain network. If the user completes this step, the crypto draining can then proceed to transfer the contents of the victim’s wallet to their own.

Mandiant says that it identified 42 unique wallet addresses used to receive stolen funds in recent CLINKSINK campaigns like the one associated with its recent Twitter/X account takeover. A number of different DaaS offerings use the CLINKSINK malware, and it is not clear at this time which DaaS may have been involved with the particular incident relating to Mandiant.

Crypto Drainers Are on the Increase

Crypto drainers have become increasingly prominent since 2023 and many are now advertised across underground markets and Telegram channels. Mandiant identified Chick Drainer and Rainbow Drainer as two DaaS offerings using CLINKSINK. However, it is also suspected that the CLINKSINK source code may have leaked and be in use by multiple other threat actors.

Two other DaaS offerings that are being widely and openly marketed are Angel Drainer and Rugging’s Multi-chain Drainer.

Angel Drainer is a Daas that emerged around August 2023, offering tools and services that were simultaneously advertised across Telegram by known threat actors such as GhostSec. Aside from taking a 20% cut, the operators also require affiliates to make an initial deposit of between $5000 and $10000.

Rugging’s Multi-chain Drainer is another offering that claims to support 20 different crypto platforms. The operators try to entice affiliates by offering low fees, around 5-10% of the affiliates gains.

Preventing Drainer Attacks

Although crypto drainers primarily aim to steal crypto assets from individuals, enterprises and organizations should be alert as their social media accounts can become part of the attack chain. Employees or business units within the organization that deal with cryptocurrency assets could also be at risk.

To combat the threat of attacks from crypto drainers, it is important to ensure that 2FA or MFA is enabled for all social media accounts. Cryptocurrency users are advised to exercise the same kind of caution and be alert for social engineering attempts with NFTs, ‘airdrops’ and other crypto advertisements as they would with emails and other communication channels. Users should also consider adopting hardware-based wallets for added security.

Conclusion

Low skill, low risk, high reward, like Ransomware-as-a-Service (Raas) before it, Drainer-as-a-Service offers those with malicious intent an easy avenue into the crimeware ecosystem. And, as with Raas offerings before, we will not be surprised to see competition among DaaS operators result in a race-to-the-bottom price-wise, tempting even more into malicious activity.

Credentials and access to social media accounts should be treated to the same security considerations as other business services as even temporary access to a businesses’ social media audience can now be used to cause harm much greater than just defacement or denial of service. To learn about how SentinelOne can help protect your organization, contact us or request a free demo.