Lessons Learned on Domain Security Management

TL;DR

On 18th September 2024, we experienced a security incident where a malicious actor briefly gained access to our domain registrar account for ethena.fi. Despite the domain registrar account being secured with a username, a password managed through a secure password manager, and TOTP two-factor authentication, the attacker was able to change the admin email address without authorization, gain access to the account, and temporarily host a phishing website on our domain. Our automated detection systems alerted us of the account access and nameserver change within minutes, and our incident response team acted swiftly to contain the breach. We worked closely with industry partners to block malicious traffic, lock down the domain registrar account, and take down the malicious website within 2 hours.

We’ve since migrated the domain to a more secure registrar, and full compensation for the small number of affected users is being processed.

There is nothing to suggest any compromise of Ethena’s internal backend systems, and our internal review thus far strongly points to social engineering of our domain registrar as the method used to compromise the account. We recommend our peers to review the security of their own domain registrars and take any appropriate remedial action in light of a series of similar attacks observed in the DeFi space this year.

The Incident: What Happened?

On 18th September, an unknown malicious actor gained unauthorized access to our domain registrar account managing the domain ethena.fi. By changing the admin email and redirecting the nameservers, they were able to serve a phishing website on our domain for a brief window of less than 2 hours, and only for a subset of visitors.

Here’s a summary of key events:

• Google alerts: We received multiple alerts from Google prior to the incident, noting a potential attack by nation state threat actors.

• Email change: The attacker changed the admin email address on our domain registrar account.

• Automated detection: Our monitoring systems flagged unusual behavior immediately, and our incident response team initiated response protocols.

• Phishing site: The attacker deployed a phishing site on our domain.

• Account lockdown and coordination: Within minutes, working with industry partners including SEAL 911, and Cloudflare, we were able to block traffic to the domain as a preventative measure to protect visitors from phishing attacks while we worked with the domain registrar to lock down the account, take down the malicious site, and restore our website.

• Resuming normal operations: Over the next few hours, we worked with our registrar to implement additional safeguards on the account. Only once we were confident that the risk of additional unauthorized access was mitigated did we remove traffic blocks for the domain, and normal operations resumed.

• Post-incident actions: Shortly after the incident we safely transferred the domain to a more secure registrar.

Throughout the process, we remained in contact with affected users, offering compensation to those who fell victim to phishing during the short exposure period as a gesture of goodwill. There was no downtime to Ethena’s 24/7 on-demand direct mint and redeem functionality, and the peg remained tight throughout the incident.

Our Commitment to Security: Existing Protections and Immediate Response

Security is at the core of everything we do. Our systems are designed to prevent incidents like this, and while no system is completely invulnerable, our infrastructure has been built to respond to threats rapidly.

• Two-Factor Authentication (2FA): Before the incident, our domain registrar account was already protected by TOTP 2FA. This is our standard procedure across all accounts, in addition to passwords managed by a secure password manager.

• Hardware-based MFA: For internal systems and access control, we enforce hardware-based multi-factor authentication, which remains an industry best practice for securing critical infrastructure.

• IP Whitelisting: To further safeguard access, we employ IP whitelisting for internal systems, ensuring that only trusted networks are allowed to interact with sensitive infrastructure. This adds another layer of restriction, reducing the risk of unauthorized access.

• Proactive Monitoring and Alerts: Our automated security systems detected the suspicious activity immediately. Our incident response was underway within minutes of the attacker gaining access, significantly minimizing the potential damage.

• Industry Partner Coordination: We worked with industry partners to block traffic to the compromised domain, adding an extra layer of defense for users while we stabilized and investigated the breach.

While the attack was highly suspected to have been executed via social engineering (or a potential compromise) of registrar personnel, we want to emphasize that Ethena’s internal backend systems were uncompromised and remained fully operational throughout the events described herein.

Understanding Domain Takeover Attacks: Common Methods and Tactics

Domain registrar account takeovers are typically executed through social engineering attacks, where malicious actors manipulate employees of the registrar company into granting unauthorized access. These attackers may also use:

• Phishing to gather login credentials.

• SIM swapping to bypass SMS-based 2FA.

• Credential stuffing, relying on weak or reused passwords.

Our internal review thus far strongly points to social engineering as the method used to compromise the domain registrar account. Despite our use of non-SMS-based 2FA, attackers can exploit human security elements, such as customer support vulnerabilities at registrars.

Domain takeovers are particularly dangerous in decentralized finance (DeFi), where even brief periods of domain hijacking can lead to significant financial loss via phishing attacks. Thankfully, due to our rapid response, we estimate only ~$15k in total funds were affected across 10 impacted wallets, and impacted users are being made whole.

Best Practices to Protect Against Domain Takeovers

To protect against domain registrar account takeovers, we recommend the following best practices:

1. Use Hardware-Based 2FA: While 2FA is crucial, SMS-based or app-based methods can be vulnerable to phishing and SIM-swapping. Consider using hardware tokens like YubiKeys for critical accounts.

2. Registrar Locking: Enable domain locking features offered by most registrars to prevent unauthorized transfers or changes without additional verification steps.

3. Monitor Domain Activity: Implement real-time alerts for changes to your domain, especially admin emails, DNS records, or any modification of critical settings.

4. Vet Your Registrar: Choose registrars with strong security protocols. If your current registrar doesn’t meet high security standards, don’t hesitate to switch to a more secure provider.

5. Review system access: Assess the exposure of key individuals with sensitive systems access and identify and execute upon any remedial action ahead of time.

6. Educate and Train Your Team: Ensure that every team member, from developers to support staff, is trained on phishing and social engineering techniques. The human element is often the weakest link in security.

Building a Secure DeFi Community

As a leader in the DeFi space, we are committed to securing our own infrastructure and fostering a secure environment for the entire community. This incident reminds us that collaboration is essential to mitigating risks.

We encourage other DeFi projects, security professionals, and users to join us in building a security community—a place where we can share best practices, new threats, and mitigation strategies.

If you're interested in joining a community effort to tackle DeFi security, please reach out to us through secure channels. We can prevent incidents like this from affecting the broader DeFi ecosystem.

By transparently sharing this postmortem and outlining the steps we took, we hope to demonstrate our commitment to security. Not only are we continuously improving our own protections, but we also aim to be a resource for others in the DeFi space. Let’s work together to raise the bar on security standards across the industry.