Crypto firm sustains API attack.
By Tim Nodar, CyberWire senior staff writer
Nov 21, 2023

Security experts draw lessons from an attack that exploited a cryptocurrency trader's API keys.

Crypto firm sustains API attack.

A cryptocurrency trading firm says a cyberattack that exploited stolen API keys cost it 12,800 ETH, worth about $25 million. CoinTelegraph says, however, that the firm in question, Kronos Research, maintains that this doesn't represent a significant portion of its total equity. 

Firm suspends operations indefinitely, but remains “in good standing.”

The Taiwanese crypto company sustained the theft after an attacker gained unauthorized access to its API keys, reports. The company stated on Sunday, “[D]espite it being a sizable amount, Kronos remains in good standing. All losses will be covered internally, no partners will be affected.” Kronos halted its trading services on Saturday while it investigated the incident.

Security lessons from the attack on Kronos.

Jeannie Warner, Director of Product Marketing at Exabeam, draws some lessons about challenges related to APIs. “Three security challenges are apparent in this incident: designing secured API connections that strictly control authentication and authorization, compromised credentials, and distinguishing between normal and abnormal behavior. Valid credentials, potentially obtained from previous attacks or other incidents, likely provided the threat actors with potential access to sensitive data - in this case API keys. Private key exploits are proving to be one of the most common methods for attacking crypto wallets and systems. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins.”

Warner recommends ways of handling such issues. “Addressing these challenges necessitates comprehensive cybersecurity strategies. Education about safe credential practices and feedback loops, complete network activity visibility, and robust technical safeguards such as hardening applications and API controls and employing multi-factor authentication, all contribute to a resilient defense against credential-based attacks. "It is unfortunate that Organizations should also be able to establish a clear behavioral baseline for users and devices on their network. Understanding “normal” behavior allows for the identification of deviations that may signify a compromise of the network. Businesses must make sure they strike a balance between security and business needs including API keys and enforcing transaction requirements by source and destination, and they must have the right monitoring and controls in place to protect sensitive personal information from unauthorized access.” 

Richard Bird, Chief Security Officer at Traceable AI, wrote to describe the incident as a “textbook API compromise.” He explained, “The event highlights the over-dependency almost all organizations have on the implied trust that they put into keys and credentials. Bad guys have shown over and over again that our reliance on, and faith in, these components is misplaced. If you don't have security solutions in place that help you not only understand what APIs you have but whether those APIs are doing what they are supposed to be doing, you really don't stand a chance against opportunistic hackers who exploit these obvious and well-understood weaknesses.” 

Jason Kent, Hacker in Residence at Cequence Security, agrees that in this case, there are some easy lessons to be learned. “It isn’t often the worst-case scenario presents itself in such a concise manner that we all can learn a little something. First of all, fake account creation on any platform almost always leads to fraud. Allowing this attacker to have 6 accounts on a financial platform is the most obvious example of not defending against modern attacks. At a crypto company, you’d think the concept of a modern API Attack would be well understood. The second part is the API Keys that have persisted.”

Kent added, in emailed comments, “No matter how much the security teams preach that computers are good at repetitive tasks and can authenticate and regenerate API Keys with much tighter controls (only specific IPs, only specific certs, etc…), the operations teams beg for simplicity. Here you can see that a compromised key, that has high authority, led to the theft of $25M. It isn’t that hard to put in place security measures that are specific to persistent keys, things like MFA for transactions. Perhaps their $25M mistake will lead to much greater security in the rest of the financial world.”