Coinbase CEO Brian Armstrong
Cryptocurrency exchange Coinbase has described how it was targeted by, and foiled, “a sophisticated, highly targeted, thought out attack” aimed to access its systems and presumably to make off with some of the billions of dollars’-worth of cryptocurrency it holds.
In an Aug. 8 blog post that sets out in technical detail how the plot unfolded and how the exchange countered the attempted theft, Coinbase said the hackers used a combination of means to try and hoodwink staff and access vital systems – methods that included spear phishing, social engineering and browser zero-day exploits.
The attack had started on May 30, with a dozen staff being sent emails that purported to be from Gregory Harris, a Research Grants Administrator at the University of Cambridge. Far from random, these cited the employees’ past histories and requested help with judging projects competing for an award.
“This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients. Over the next couple weeks, similar emails were received. Nothing seemed amiss.”
The attackers developed email conversations with several staffers, holding back from sending any malicious code until June 17, when “Harris” sent another email, containing a URL that, when opened in Firefox, would install malware capable of taking over someone’s machine.
Coinbase said that, “within a matter of hours, Coinbase Security detected and blocked the attack.”
The first stage of the attack, the post indicates, first identified the OS and browser on the intended victims’ machines, displaying a “convincing error” to macOS users who were not using the Firefox browser, and prompting them to install the latest version of the app.
Once the emailed URL was visited with Firefox, the exploit code was delivered from a different domain, that had been registered on May 28. It was at this point that the attack was identified, “based on both a report from an employee and automated alerts,” Coinbase said.
Its analysis found that stage two would have seen another malicious payload delivered in the form of a variant of the Mac-targeting backdoor malware called Mokes.
Notably, the former was discovered by Samuel Groß of Google’s Project Zero at the same time as the attacker, though Coinbase played down the likelihood that the hacking team had gained the information on the vulnerability via that source. Groß addresses that in a Twitter thread.
In another sign of the sophistication of the hacking team – labeled by Coinbase as CRYPTO-3 or HYDSEVEN – it took over or created two email accounts and created a landing page at the University of Cambridge.
“We don’t know when the attackers first gained access to the Cambridge accounts, or whether the accounts were taken over or created. As others have noted, the identities associated with the email accounts have almost no online presence and the LinkedIn profiles are almost certainly fake.”
After discovering the single affected computer at the company, Coinbase said it revoked all credentials on the machine, and locked all the staffer’s accounts.
“Once we were comfortable that we had achieved containment in our environment, we reached out to the Mozilla security team and shared the exploit code used in this attack,” the exchange said. “The Mozilla security team was highly responsive and was able to have a patch out for CVE-2019–11707 by the next day and CVE-2019–11708 in the same week.”
Coinbase also contacted Cambridge University to report and help fix the issue, as well as to gain more information on the attacker’s methods.
“The cryptocurrency industry has to expect attacks of this sophistication to continue, and by building infrastructure with excellent defensive posture, and working with each other to share information about the attacks we’re seeing, we’ll be able to defend ourselves and our customers, support the cryptoeconomy, and build the open financial system of the future.”