Cryptocurrency exchange Coinbase has described how it was targeted by, and foiled, “a sophisticated, highly targeted, thought out attack” aimed to access its systems and presumably to make off with some of the billions of dollars’-worth of cryptocurrency it holds.
In an Aug. 8 blog post that sets out in technical detail how the plot unfolded and how the exchange countered the attempted theft, Coinbase said the hackers used a combination of means to try and hoodwink staff and access vital systems – methods that included spear phishing, social engineering and browser zero-day exploits.
When more than a dozen Coinbase employees got an email in May from an administrator at the University of Cambridge in the UK, nothing about the message raised any red flags. Someone named Gregory Harris, who said he was a “research grants administrator” at the university, cited the employees’ past histories and requested help with judging projects competing for an economics prize.
“This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients. Over the next couple weeks, similar emails were received. Nothing seemed amiss.”
Some of the employees exchanged additional emails with this account during the next two weeks; still nothing amiss. Little did they know that this was all part of a devious scheme. Whoever was really behind this account was playing a long game, aiming to gain access to Coinbase’s back-end network and steal some of the billions of dollars’ worth of cryptocurrency the company stores on behalf of its users. On June 17, when “Harris” sent another email containing a URL that, when opened in Firefox, would install malware capable of taking over someone’s machine.
Coinbase said that, “within a matter of hours, Coinbase Security detected and blocked the attack.”
The first phase of the attack identified the operating system and browser on the intended victims’ machines, displaying a “convincing error” to macOS users who were not using the Firefox browser, and prompting them to install the latest version of the app.
Once the emailed URL was visited with Firefox, the exploit code was delivered from a different domain, that had been registered on May 28. It was at this point that the attack was identified, “based on both a report from an employee and automated alerts,” Coinbase said.
Its analysis found that phase two would have seen another malicious payload delivered in the form of a variant of the Mac-targeting backdoor malware called Mokes.
Notably, the former was discovered by Samuel Groß of Google’s Project Zero at the same time as the attacker, though Coinbase played down the likelihood that the hacking team had gained the information on the vulnerability via that source. Groß addresses that in a Twitter thread.
What was unique about the attack, says Philip Martin, the company’s chief information security officer, was its sheer cost and the unusually high level of effort behind it. “It really underscores for me how seriously the attackers are taking the [cryptocurrency] space,” he says.
In another sign of the sophistication of the hacking team – labeled by Coinbase as CRYPTO-3 or HYDSEVEN – it took over or created two email accounts and created a landing page at the University of Cambridge.
“We don’t know when the attackers first gained access to the Cambridge accounts, or whether the accounts were taken over or created. As others have noted, the identities associated with the email accounts have almost no online presence and the LinkedIn profiles are almost certainly fake.”
After discovering the single affected computer at the company, Coinbase said it revoked all credentials on the machine, and locked all the staffer’s accounts.
“Once we were comfortable that we had achieved containment in our environment, we reached out to the Mozilla security team and shared the exploit code used in this attack,” the exchange said. “The Mozilla security team was highly responsive and was able to have a patch out for CVE-2019–11707 by the next day and CVE-2019–11708 in the same week.”
Coinbase also contacted Cambridge University to report and help fix the issue, as well as to gain more information on the attacker’s methods.
“The cryptocurrency industry has to expect attacks of this sophistication to continue, and by building infrastructure with excellent defensive posture, and working with each other to share information about the attacks we’re seeing, we’ll be able to defend ourselves and our customers, support the cryptoeconomy, and build the open financial system of the future.”
About Cryoto Project Times: The leader in Crypto Project News & opinion, CPN is a media outlet that strives for the highest journalistic standards and abides by a strict code of journalistic ethics. CPN is an independent operating subsidiary of EngineBloc LLC, which provides marketing and communications support for blockchain start-ups. For sponsored content inquiries, contact CryptoPressEngine the exclusive PR partner of CPN.