What can we learn from the latest Coinbase cyberattack?

Abraham Smith

Cryptocurrency exchange Coinbase has repelled a cyberattack that may have been carried out by the same attackers who targeted Twillio, Cloudflare and many other companies last year.

Using smishing and vishing, the attackers attempted to trick Coinbase employees into sharing credentials and installing remote desktop applications, with only partial success: the company’s incident response team quickly responded to alerts of “unusual activity.” ‘, and in the end the attackers were unable to access customer information or steal funds.

How the Coinbase cyber attack played out

The attack began on a Sunday, February 5, 2023, when a number of Coinbase employees received a text message stating that they urgently needed to log into the company’s systems via a provided link so they could receive an important message.

Only one of the attacked employees fell for the ruse and entered their credentials on the provided phishing page. Armed with this information, the attackers attempted to access corporate systems, but lacking the second factor of authentication at hand, they were unsuccessful.

So they tried another tactic: get the employee on the phone by posing as Coinbase’s IT staff, convincing them to log into their workstation and install software that allowed the attackers to access the system, without needing access data.

“Fortunately, our Computer Security Incident Response Team (CSIRT) dealt with this issue within the first 10 minutes of the attack,” said Jeff Lunglhofer, Coinbase CISO.

“Our CSIRT has been alerted to any unusual activity by our Security Incident and Event Management (SIEM) system. Shortly thereafter, one of our incident responders contacted the victim through our internal Coinbase messaging system and inquired about some of the unusual behavior and usage patterns associated with their account. Realizing something was seriously wrong, the employee cut off all communication with the attacker. Our CSIRT team immediately blocked all access for the affected employee and launched a full investigation.”

In the end, the attackers managed to get their hands on the names, email addresses, and phone numbers of some employees, which they may later use for social engineering attacks.

TTPs and risk mitigation advice

Lunglhofer didn’t share what second layer of authentication Coinbase employees use or if the attackers even tried to trick the employee into sharing their additional authentication factor – but setting up MFA blocked this attack vector and the attackers were forced to switch to vishing.

I have no doubt that affected employees will undergo additional training to increase their awareness of social engineering attack tactics, but as he noted, given the right circumstances, almost anyone can become a victim.

“Research consistently shows that all people can be fooled at some point, no matter how observant, skillful, and prepared they are,” he added. Because of this, this type of training is just one of many layers of security that organizations should implement.

Coinbase has shared the tactics, techniques, and procedures (TTPs) employed by attackers so that security teams from other organizations can keep an eye out. They include:

  • Web traffic pointing to domains that combine the company name with the words so, Registrationor dashboardbut do not belong to the company
  • Attempted downloads of remote desktop apps such as AnyDesk or ISL Online, or installation or browser extensions that allow editing of cookies (e.g. EditThisCookie)
  • Attempted access to corporate resources from a third-party VPN provider
  • Phone calls or text messages from services like Google Voice, Skype, Vonage (formerly Nexmo), etc.

“As a network defender, you should expect login attempts to enterprise applications from VPN services (such as Mullvad) that use stolen credentials, cookies, or other session tokens. Try to enumerate customer support-oriented applications, e.g. B. CRM applications (Customer Relationship Management) or applications for employee directories. And you may see attempts to copy text-based data to free-text or file-sharing services (e.g., riseup.net),” he added.

He also advised employees of any company with an online presence never to provide information to anyone who first reached out to them. “A simple best practice is to hang up the phone and use a trusted company phone number or chat technology to get help.”

Source

Leave a Reply

Your email address will not be published. Required fields are marked *