Cryptonews Exclusives This is How Hackers Attempted to Attack Coinbase

This is How Hackers Attempted to Attack Coinbase

Sead Fadilpašić
Sead Fadilpašić
Last updated: | 2 min read

U.S.-based cryptocurrency exchange and wallet provider Coinbase gave more details on the recent attempted hack, and said that they were a target of a carefully planned, sophisticated attack that utilized spear phishing/social engineering tactics and two Firefox zero-day vulnerabilities.

Source: iStock/DragonImages

In the latest Coinbase blog post, Philip Martin, Chief Information Security Officer of the company, explained that over the course of several weeks, starting with May 30th, a number of Coinbase employees received an email from a person claiming to be Gregory Harris, a Research Grants Administrator at the University of Cambridge, which in no way seemed suspicious – it “came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients.” All this created a sense that victims were talking to legitimate people, Martin says.

The group, tracked by Coinbase as ‘CRYPTO-3’ aka ‘HYDSEVEN’, created the fake LinkedIn profiles, either compromised or created two email accounts, created a landing page at the University of Cambridge, registered the domain, and cloned or modified existing Cambridge University pages, “making them available in the personal storage directories of the attacker-controlled accounts.”

However, after looking for potential victims via multiple emails, “making sure they were high-payoff targets,” of the people who received the initial email, 2.5% received a link to the page hosting the zero-day. On June 17th, ‘Harris’ sent an email with “a URL that, when opened in Firefox, would install malware capable of taking over someone’s machine”, which Coinbase detected and blocked “within a matter of hours”, writes Martin.

A zero-day is a previously unknown or unaddressed software vulnerability, and there were two of these “chained together” that the hacker likely discovered independently and used in his attempt. Judging by the details discovered during the investigation, such as the attacker’s fast discovery of the vulnerability-to-weaponization cycle and a well-structured code. “Overall, it feels like the work of a group that has significant experience developing exploits”, says Martin.

The attack was executed in two stages:

  • Identifying the operating system and browser; displaying a convincing error to macOS users who were not using Firefox and instructing them to install the latest version; delivering the exploit code after the page in Firefox was visited; using the implant as “an initial recon and credential theft payload”. Coinbase said it detected the attackers at stage one.
  • The stage 2 payload was likely used as a RAT (a remote access Trojan – a malware program that includes a back door for administrative control over the target computer). “We’ve observed activity of the stage 2 implant consistent with direct human control”, writes Martin.

As an employee and automated alerts sounded the alarm, the investigation started, while the attackers were still likely unaware of their response. “Once we were comfortable that we had achieved containment in our environment,” they reached out to the Mozilla security team to share the exploit code, who then solved the vulnerability on their end, as well as to Cambridge University.

Martin says that over 200 individuals were targeted by this attacker. Coinbase “identified the organizations employing these individuals so that we could reach out and give their security teams the information they needed to secure their infrastructure and protect their employees.”

Read more: Who Remains in the Unhacked Exchange Club After Binance Drama?

Coinbase Exchange Hack

Most Popular

Altcoin News
Armenian Officials Trained on Essential Techniques and Tools for Effective Crypto-Crime Investigations
Blockchain News
Real-World Data Unlocks the True Value of Tokenization: Chainlink
Altcoin News
Stripe to Resume Crypto Payments, Starting with USDC Stablecoin on Numerous Blockchains
News
DCG Boosts Legal Arsenal with First Chief Hire During New York AG Dispute
Altcoin News
Pantera Capital Seeks to Raise $1 Billion for New Fund Offering Exposure to Crypto Assets
Bitcoin News
Veteran Trader Peter Brandt Predicts Major Bitcoin Price Action Coming Soon – Here’s the Latest

Latest news

Blockchain News
CryptoQuant CEO Supports Crypto Mixing, Says It’s Not A Crime
Ethereum News
$510 Million in Ethereum Longs at Risk Amid Potential Weekend Volatility – Massive Price Swing Incoming?
Bitcoin News
Crypto Billionaire Arthur Hayes Predicts Bitcoin Bull Run to Return After $1.4 Trillion US Liquidity Spike
Blockchain News
Elizabeth Warren-Challenger John Deaton to File Brief in Support of Coinbase Appeal in SEC Case Today: Fox
Bitcoin News
Bitcoin Price Prediction as BTC Climbs to $64,226 Amidst Positive Market Trends – Time to Buy
Bitcoin News
Bitcoin Core Developer Claims Runes Protocol Exploits Bitcoin Blockchain’s Design Flaw
Ethereum News
Rare Alien CryptoPunk NFT Sells For Record Breaking $12.38 Million ETH

Similar News