On November 22nd, Velodrome fell victim to a DNS attack, a type of cyber assault that targets the Domain Name System, the backbone of internet navigation. The attackers executed a well-planned social engineering scheme to gain control over Velodrome’s domain names, leading to an estimated loss of up to $250,000. The attack not only resulted in financial damages but also raised important questions about the efficacy of existing cybersecurity measures to guard against methods like social engineering, DNS attacks, and monetization
In this post, we will take a closer look at the Velodrome incident, exploring how the attack unfolded, its impact, and most importantly, the valuable lessons it offers for enhancing cybersecurity. By the end, you’ll find insights and strategies that organizations can adopt to fortify their defenses against similar threats.
Background on DNS Attacks
The Domain Name System (DNS) is an essential component of the internet, acting as the phonebook of the web by translating human-friendly domain names into IP addresses that computers use to communicate. However, the DNS is also a prime target for cyber attacks.
A DNS attack can take several forms, but the most common include DNS spoofing, where attackers corrupt DNS data to redirect traffic to fraudulent sites, and DNS hijacking, where they take control of the DNS server itself.
DNS attacks are particularly dangerous because they can be hard to detect and have far-reaching implications. They can lead to the theft of sensitive information, distribution of malware, or even cause significant financial damage, as seen in numerous high-profile incidents.
For instance, in 2016, the Dyn cyberattack, one of the largest DNS attacks, took down major websites like Twitter and Netflix, demonstrating the potential scale and impact of such attacks.
These attacks exploit vulnerabilities in the DNS infrastructure or use social engineering to manipulate individuals into unknowingly assisting in the attack.
The Velodrome attack demonstrates the need for robust security measures to protect this vital part of the internet’s infrastructure.
An Overview of the Velodrome DNS Attack
The Velodrome DNS attack is a recent and alarming example of the vulnerabilities inherent in domain management and security.
Velodrome, operating in the decentralized finance sector, experienced a sophisticated DNS attack that resulted in substantial financial losses. The attack began on November 22nd, when attackers made their first move by targeting the domain registrar with a social engineering attack. Despite multiple failed attempts, the attackers eventually gained control over the domain names by passing fake identity verification processes.
Once in control, the attackers swiftly changed the nameservers, redirecting traffic from the legitimate Velodrome and Aerodrome websites to malicious clones. These fraudulent websites were designed to deceive users into connecting their crypto wallets and approving transactions, which resulted in unauthorized asset transfers to the attackers’ wallets. The attackers meticulously orchestrated the attack, using multiple wallets across different blockchain networks to receive the transferred assets.
The first indication of the breach came when the domain owner received an email from the registrar about the ownership change. Shortly after, user reports began to emerge, indicating that the websites were compromised. Velodrome’s team initiated an investigation, confirming the attack and swiftly moving to mitigate its impact. Despite their efforts, the attack resulted in an estimated loss of up to $250,000, affecting several individuals who interacted with the counterfeit websites. This incident highlights the financial risks associated with DNS attacks and serves as a reminder of the importance of robust cybersecurity defenses.
Analysis of the Attack
The Velodrome DNS attack shows how cyber attackers can bypass security measures, exploit organizational weaknesses, and effectively use social engineering to execute a high-scale attack. This analysis, grounded in the detailed timeline of the incident, reveals multiple layers.
Technical Analysis: Bypassing Security Measures
The attackers initially targeted the domain registrar, a strategic move considering that registrars are the gatekeepers of domain names. By gaining control over Velodrome’s domain names, the attackers were able to reroute traffic to malicious sites. This was achieved despite the presence of security protocols like two-factor authentication (2FA).
“The attacker…overriding 2FA and other security mechanisms”
The need for more robust security options like Ownership / Vault Transfer, Security Notifications, and Enhanced Phishing Scans can withstand such sophisticated methods.
Organizational Weaknesses Exploited
A key organizational weakness lay in the lack of immediate notification to the domain owner about the ongoing social engineering attempts. The timeline indicates multiple days of attempts before the successful breach on November 28th, with no alert to the domain owner.
“No notification of the domain owner that this attack is underway as it proceeds.”
This gap in communication and monitoring provided the attackers with a prolonged window to refine and execute their strategy.
Social Engineering Aspect
The social engineering aspect of the attack was pivotal. The attackers used fake identity verifications associated with Velodrome and Aerodrome, manipulating the human element of security.
“Ongoing attempts continue for multiple days, including multiple failed fake identity verifications.”
This tactic demonstrates how attackers can exploit human trust and procedural loopholes to gain unauthorized access.
Role of the Domain Registrar and Delayed Responses
The domain registrar’s delayed response played a significant role in the attack’s success. The timeline shows a lag between the initial breach and the registrar’s actions to freeze the account and initiate recovery.
3:09 First attempt to reach out to the registrar.
3:13 Next attempt, followed by attempts at 6:51, 8:31, 8:56, 8:57, 9:00, 9:02, 9:10, 9:15, 9:24, 9:30
5:05 Cloudfront abuse request confirmation received
9:31 The registrar returns the call…
After multiple communications throughout the morning the attackers nameservers’ removal is accepted.
“13:36 The registrar representative returns the call to assist with the KYC process and locks down the account. The KYC passes and the attacker nameservers’ removal is accepted.”
This delay provided the attackers ample time to reroute traffic and execute their malicious activities. It highlights the immediate need for rapid response protocols and real-time monitoring systems in mitigating the impact of such attacks.
Enhancing Cybersecurity: Solutions and Strategies
The Velodrome DNS attack, primarily utilized by social engineering tactics, it becomes clear that a multi-faceted approach to cybersecurity is essential. This approach involves not only advanced technological defenses, but also strategies that address human elements and procedural weaknesses.
Here’s how Domainsure’s specific services could have contributed to preventing such an attack:
Enhanced Phishing Scan
Domainsure’s enhanced phishing scan service could have played a crucial role in early detection and prevention of the attack. Phishing scans are designed to detect fraudulent attempts to obtain sensitive information, such as usernames and passwords, often through deceptive emails or websites.
In the case of Velodrome, where the attackers used social engineering to manipulate the domain registrar, an advanced phishing scan might have identified suspicious activities or communications linked to the fraudulent takeover.
This early detection could have alerted the Velodrome team and prevented the attackers from gaining control of the domain names.
NameServer & DNS Change Notifications
With constant monitoring and audit trails of every change to a domain, added to the robust myriad of notifications systems such as SMS, Email, Slack, MatterMost, and a Rest API, clients are immediately notified of any change made to their current configuration.
In the Velodrome attack, the attackers were able to gain control over the domain names through social engineering. With our monitoring and notifications in place, even if attackers managed to deceive some security protocols, they would still face a significant barrier in altering nameservers or DNS settings without someone being immediately notified.
Timely alerts are critical in a landscape where every second counts in mitigating cyber threats.
Set-and-Forget-DNSSEC (Domain Name System Security Extensions) is a critical service for protecting against DNS spoofing and hijacking.
DNSSEC adds a layer of security to the DNS lookup and verification process, ensuring that the website traffic is safely directed to the legitimate website.
In the case of Velodrome, where attackers redirected traffic to malicious clones, DNSSEC could have prevented this by ensuring the authenticity of the DNS responses.
The ‘set-and-forget’ aspect implies that once set up, DNSSEC continually works to protect the domain without requiring constant manual intervention, which is crucial in maintaining long-term domain security.
Free Phishing Takedowns
Domainsure’s service for free phishing takedowns on our Enterprise service level is particularly beneficial for rapidly addressing and neutralizing phishing attempts.
Given the speed at which phishing sites can harvest sensitive information, the ability to quickly take down such sites is invaluable. In the Velodrome incident, this service could have been instrumental in promptly removing the malicious clones to which the DNS was redirected, thereby protecting users from the attackers’ phishing attempts.
The speed and efficiency of this service make it a crucial component in the defense against socially engineered cyber attacks.
The Velodrome DNS attack serves as the most recent example of cybersecurity threats, specifically those involving sophisticated social engineering tactics to gain control of DNS.
Services like DomainSure’s Enhanced Phishing Scans, Full NameServer & DNS Change Notices, Set-and-Forget-DNSSEC, and Free Phishing Takedowns represent critical tools to protect against socially engineered DNS attacks. These solutions offer a layered defense strategy that addresses both technological vulnerabilities and the human elements that are often exploited in sophisticated cyber attacks.
However, another takeaway from the Velodrome incident goes beyond adopting specific services or tools. It’s about fostering a culture of cybersecurity awareness within organizations, where every member understands the importance of their role in maintaining security. Regular training, audits, and updates are essential in keeping up with the latest threats and ensuring that both staff and systems are equipped to prevent, detect, and respond effectively to attacks.
This case study serves as a critical lesson in the importance of a comprehensive, proactive approach to cybersecurity. By integrating advanced security solutions with continuous education and robust protocols, organizations can not only protect themselves against current threats but also build resilience against future cyber challenges.
Full Incident Report: https://medium.com/@VelodromeFi/11-29-2023-incident-report-92865dceb757