This is How Hackers Attempted to Attack Coinbase
U.S.-based cryptocurrency exchange and wallet provider Coinbase gave more details on the recent attempted hack, and said that they were a target of a carefully planned, sophisticated attack that utilized spear phishing/social engineering tactics and two Firefox zero-day vulnerabilities.
In the latest Coinbase blog post, Philip Martin, Chief Information Security Officer of the company, explained that over the course of several weeks, starting with May 30th, a number of Coinbase employees received an email from a person claiming to be Gregory Harris, a Research Grants Administrator at the University of Cambridge, which in no way seemed suspicious – it “came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients.” All this created a sense that victims were talking to legitimate people, Martin says.
The group, tracked by Coinbase as ‘CRYPTO-3’ aka ‘HYDSEVEN’, created the fake LinkedIn profiles, either compromised or created two email accounts, created a landing page at the University of Cambridge, registered the domain, and cloned or modified existing Cambridge University pages, “making them available in the personal storage directories of the attacker-controlled accounts.”
However, after looking for potential victims via multiple emails, “making sure they were high-payoff targets,” of the people who received the initial email, 2.5% received a link to the page hosting the zero-day. On June 17th, ‘Harris’ sent an email with “a URL that, when opened in Firefox, would install malware capable of taking over someone’s machine”, which Coinbase detected and blocked “within a matter of hours”, writes Martin.
A zero-day is a previously unknown or unaddressed software vulnerability, and there were two of these “chained together” that the hacker likely discovered independently and used in his attempt. Judging by the details discovered during the investigation, such as the attacker’s fast discovery of the vulnerability-to-weaponization cycle and a well-structured code. “Overall, it feels like the work of a group that has significant experience developing exploits”, says Martin.
The attack was executed in two stages:
- Identifying the operating system and browser; displaying a convincing error to macOS users who were not using Firefox and instructing them to install the latest version; delivering the exploit code after the page in Firefox was visited; using the implant as "an initial recon and credential theft payload". Coinbase said it detected the attackers at stage one.
- The stage 2 payload was likely used as a RAT (a remote access Trojan – a malware program that includes a back door for administrative control over the target computer). “We’ve observed activity of the stage 2 implant consistent with direct human control”, writes Martin.
As an employee and automated alerts sounded the alarm, the investigation started, while the attackers were still likely unaware of their response. “Once we were comfortable that we had achieved containment in our environment,” they reached out to the Mozilla security team to share the exploit code, who then solved the vulnerability on their end, as well as to Cambridge University.
Martin says that over 200 individuals were targeted by this attacker. Coinbase "identified the organizations employing these individuals so that we could reach out and give their security teams the information they needed to secure their infrastructure and protect their employees.”