Comment by Animats
18 hours ago
"It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time."
Does this mean firewalls now have to block all Ethereum endpoints?
> Does this mean firewalls now have to block all Ethereum endpoints?
Or, instead of attempting to enumerate the bad, if you run WordPress make sure it can't call out anywhere except a whitelist of hosts if some plugins have legitimate reasons to call out. Assuming the black-hat jiggery-pokery is server side of course.
If your Wordpress server had no reason to talk to Ethereum endpoints, then it should have never have been allowed to do so in the first place.
Should something like a WordPress server not have a domain allowlist for outbound connections? Does WordPress need to connect to arbitrary domains?
That is a never-ending game of whack-a-mole. There are infinite places to put command and control data.
The attack has to find the control nodes. Domains and IP addresses can be turned off. With this approach, there's no way to stop the finding process even after the attack has been reverse-engineered, short of firewalling or shutting down crypto nodes.
What happens when Ethereum gets a takedown order?
More generally, what happens as the malware ecosystem integrates with the cryptocurrency ecosystem?