Anatomy of an attack: How Coinbase was targeted with emails booby-trapped with Firefox zero-days
Elaborate browser break-out betrayed by unusual behavior
Coinbase chief information security officer Philip Martin this week published an incident report covering the recent attack on the cryptocurrency exchange, revealing a phishing campaign of surprising sophistication.
The thwarted attack began with email messages on May 30 to more than a dozen Coinbase employees that appeared to be from Gregory Harris, a research grant administrator at the University of Cambridge in the UK.
At some point prior to that, the attackers – a group known to Coinbase as CRYPTO-3 or sometimes HYDSEVEN – compromised or created two email accounts at Cambridge. Two days before the initial emails went out, they registered a domain to deliver their exploit, Martin said.
These messages represented reconnaissance for a phishing campaign that extended beyond Coinbase. After corresponding with the initial set of targets – about 200 – through a series of messages over several weeks, the hackers winnowed their list of prospective victims down to five specific marks. These individuals – macOS users not using Firefox – received messages with malicious links.
"Stage one of this attack first identified the operating system and browser, and displayed a convincing error to macOS users who were not currently using Firefox, instructing them to install the latest version from Mozilla," Martin wrote. "After visiting the page in Firefox, the exploit code was delivered from a separate domain, analyticsfit[.]com, which was registered on May 28."
Digi-dosh exchange Coinbase: Someone tried to pwn our staff via this week's Firefox zero-day security holeREAD MORE
Martin also observed that the privilege escalation flaw had existed for a while in Firefox but only became exploitable using the chosen attack technique as of May 12 due to an unidentified technical change.
"This indicates a very rapid discovery-to-weaponization cycle on the part of the attacker (or whoever the attacker acquired the 0-day from)," said Martin, noting that the exploit code itself was well-structured, as might be expected from experienced malware authors.
Using those two vulnerabilities to achieve arbitrary code execution, the attacker's shellcode issued a curl command to download and run the stage-one implant, a Netwire variant. Used for reconnaissance and credential theft on victims' machines, the malicious code was detected by Coinbase at this point based on unusual behavior, specifically Firefox spawning a shell.
The stage-one payload then transitioned to a stage two implant, identified by Martin as a variant of the Mokes malware family. It's a remote access trojan (RAT) and was operated under direct human control. Martin speculates that the attackers moved to stage two when they believed they had compromised a target of value.
Once aware of the hack, Coinbase's security team collected data artifacts related to the break-in, revoked affected credentials, and contacted Mozilla's security team, which managed to create patches shortly thereafter.
Martin attributed Coinbase's successful response to the attack to a security-first culture, detection and response tooling, and clear incident response playbooks. Sharing information about such incidents, he suggests, will help the crypto-finance industry. ®