Coinbase Sets Out How It Foiled a ‘Sophisticated’ Hacking Attack

 

Daniel Palmer

Aug 9, 2019 at 09:01 UTC

Updated Aug 9, 2019 at 11:43 UTC

news

Cryptocurrency exchange Coinbase has revealed that it has been targeted by, and foiled, “a sophisticated, highly targeted, thought out attack” aimed to access its systems and presumably to make off with some of the billions of dollars’-worth of cryptocurrency it holds.
In an Aug. 8 blog post that sets out in technical detail how the plot unfolded and how the exchange countered the attempted theft, Coinbase said the hackers used a combination of methods to try and hoodwink staff and access vital systems – methods that included spear phishing, social engineering and browser zero-day exploits.
The attack had started on May 30, with a dozen staff being sent emails that purported to be from Gregory Harris, a Research Grants Administrator at the University of Cambridge. Far from random, these cited the employees’ past histories and requested help with judging projects competing for an award.
Coinbase said:

“This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients. Over the next couple weeks, similar emails were received. Nothing seemed amiss.”

The attackers developed email conversations with several staffers, holding back from sending any malicious code until June 17, when “Harris” sent another email, containing a URL that, when opened in Firefox, would install malware capable of taking over someone’s machine.
Coinbase said that, “within a matter of hours, Coinbase Security detected and blocked the attack.”
The first stage of the attack, the post indicates, first identified the OS and browser on the intended victims’ machines, displaying a “convincing error” to macOS users who were not using the Firefox browser, and prompting them to install the latest version of the app.
Once the emailed URL was visited with Firefox, the exploit code was delivered from a different domain, that had been registered on May 28. It was at this point that the attack was identified, “based on both a report from an employee and automated alerts,” Coinbase said.
Its analysis found that stage two would have seen another malicious payload delivered in the form of a variant of the Mac-targeting backdoor malware called Mokes.
Coinbase explained that there had been two separate Firefox zero-day exploits utilized in the attack: “one that allowed an attacker to escalate privileges from JavaScript on a page to the browser (CVE-2019–11707) and one that allowed the attacker to escape the browser sandbox and execute code on the host computer (CVE-2019–11708).”

Click here for complete news