Yeah, is there a security hole we should be aware of or was the macaroon accidentally posted to nostr?
Discussion
Don’t you need to be inside the network to use the admin macaroon? Unless it was all open to the public
This is my main concern right now too. My systems are all locked down with hardware vpns. I think it's unlikely they were able to get into my system in any way. I can only ssh into my K8 nodes and bitcoin node on the network. The services I expose over clearnet are BTCPay, Cashu Mint, and my website that I use to create lightning invoices.
I have a network firewall that only exposes these ports:
TCP 9735 (Lightning P2P)
TCP 80/443 (HTTP/HTTPS)
I do not have these ports exposed:
Port 8080 (LND REST) ❌
Port 10009 (LND gRPC) ❌
Sorry I'm actively trying to get to the bottom of this. My entire system is behind a vpc only accessible with my hardware vpn. I can't even access the network unless I'm connected to the hardware VPN (SonicWall). Here's what I've managed to put together so far. Still looking for how they were able to get access to my lnd instance.
The attacker:
Had access to the admin macaroon (from the Cashu mint Docker image or K8s)
Swept on-chain funds first (02:52-02:53)
Probed BTCPay unsuccessfully (03:14-03:29)
Closed channels cooperatively (03:34-03:38)
Continued sweeping over 2 days