SECURITY NEWS
Bybit breach possible due to code level attack, failure of cloud and identity trust
This enters into a shared responsibility model for security and resilience, and while security features are available, they are not enabled by default from the service provider.
Tim Erridge, VP and Managing Partner, Unit 42 EMEA, Palo Alto Networks
In Unit 42’ s recently released 2025 Global Incident Response Report, we are seeing an increase in frequency and sophistication of software supply chain and cloud attacks. The recent attack on Safe’ s multi-signature wallet leading to the Bybit $ 1.5B crypto hack is a particular highlight of this global trend.
Nearly a third of our cases now include cloud compromises, and 70 % of them saw attackers leverage a similar multiple pronged approach, exploiting the endpoint, cloud and human assets via social media. We have seen Phishing make a return to the top step of the podium as the number one initial access
The Bybit attack is a demonstration of how attackers are able to exploit complexity of environments, created through use of cloud and SaaS application. vector, responsible for over 23 % of incidents worked by Unit 42 in the past 12 months.
The Bybit attack is a demonstration of how attackers are still able to exploit the ever-increasing complexity of our environments, created through use of cloud infrastructure and Software as a Service application. The issue being this enters into a shared responsibility model for security and resilience, and whilst security features are available, they are inherently not enabled by default from the service provider, as the configuration is required to be tailored around the business functionality being created by the customer. So, it is all too often the case that security configuration is sub-optimal, if enabled at all.
The lack of security configure is also complicity to, and compounded by, a lack of visibility and excessive trust. In cloud environments, SOC’ s often do not get the logs or detailed evidence to be able to detect malicious activity until it is too late, if ever.
In 40 % of the cloud incidents responded to, the cloud assets were totally unmonitored.
Furthermore, in over 75 % of the total incidents we worked, the right evidence was present in the logs, but siloed working practices prevented the crucial evidence being detected in a timely manner. With incidents now happening 250 % quicker than 4 years ago, with the majority of data theft occurring in under 24 hours, and average detection times still languishing at around 1 week, real time detection is necessary.
This is not possible without the combination of full visibility, comprehensive telemetry data from across all assets and environments, and the use of AI and automation to process it to identify anomalous activity fast.
The large-scale misappropriation of crypto assets via the attack on Safe’ s multi-signature wallet was the consequence of attacks at the code level, as well as cloud infrastructure, identity trust and social engineering on the end user. This combination of exploits demonstrates just how important it is to have an end-to-end approach to both prevention and visibility, detection and response.
The attack was intentionally covert for the actor to position themselves until the moment of execution, with similarities to ransomware. Yet once executed the impact is instant and significant, rendering prevention impossible. Yet again underlining the importance of prevention techniques and as early detection as possible to give defenders the chance to intervene. •
INTELLIGENT TECH CHANNELS 13