Recently, an unknown threat actor attempted to gain remote entry to the systems of the Coinbase platform by stealing the login credentials of one of its employees.
Coinbase, the renowned cryptocurrency exchange platform, has reported that during the recent security breach, the perpetrator managed to obtain contact information associated with several employees. However, the company has clarified that despite the breach, there was no compromise to customer data or funds.
In line with its commitment to transparency, Coinbase, the popular cryptocurrency exchange platform, has announced that it seeks to share the details of the recent security breach with its employees, customers, and the community.
As the company believes that this information will provide valuable insights into the incident and help foster greater awareness and understanding of such cybersecurity threats.
This disclosure aims to assist other companies in identifying the TTPs used by the threat actor and implementing suitable defensive measures against future attacks.
Coinbase Breach
On Sunday, February 5, multiple Coinbase engineers were subjected to an attack by an unknown threat actor. In this breach, the attacker utilized SMS notifications to lure them into accessing their company accounts under the pretense of receiving an essential message.
Despite the majority of the employees disregarding the SMS alerts, an individual was deceived by the ploy and proceeded to click on the provided link, which led to a fraudulent webpage designed for phishing purposes.
Upon entering their login credentials, the affected employee was shown a message expressing gratitude and advising them to disregard the SMS notification, all while remaining unaware that their account had been compromised by the attacker.
Subsequently, the attacker attempted to gain access to the internal systems of Coinbase utilizing the stolen login information.
But their efforts were ineffective as the system had implemented Multi-Factor Authentication (MFA) as an additional security measure, which prevented unauthorized entry.
The attacker changed tactics around 20 minutes later, and a different strategy was adopted by the attacker. The attacker made a phone call to the affected employee, posing as a member of the Coinbase IT team.
After that, the attacker proceeded to instruct them to log into their workstation while providing additional directions to follow.
The Computer Security Incident Response Team of Coinbase identified the anomalous activity within a mere 10-minute window from the inception of the attack and promptly reached out to the affected employee to investigate any irregularities linked to their account.
Upon receiving inquiries from Coinbase’s CSIRT, the affected employee became aware of the illegitimate nature of the previous communication, leading them to immediately cease further interaction with the attacker in question.
TTPs Observed
Coinbase has disclosed several TTPs observed during the attack, which could potentially aid other organizations in recognizing and preventing similar malicious attempts:-
- It is recommended to monitor any web traffic originating from your organization’s technological assets to the subsequent addresses, wherein the (*) denotes your company’s name:-
- sso-*[.]com
- *-sso[.]com
- login.*-sso[.]com
- dashboard-*[.]com
- *-dashboard[.]com
- It is advised to be vigilant of any downloads or attempted downloads of the following remote desktop viewers from the ensuing sources:-
- AnyDesk (anydesk dot com)
- ISL Online (islonline dot com)
- If you think an attempt has been made to gain access to your organization via a third-party VPN provider, specifically Mullvad VPN, you should verify this.
- It is essential that you check all incoming phone calls and texts from the following providers as soon as they arrive:-
- Google Voice
- Skype
- Vonage/Nexmo
- Bandwidth dot com
- You should be on guard against any unexpected attempts to install specific browser extensions, such as EditThisCookie.
In a situation like this, it is never easy to find the right words to express your emotions. There are situations like these where employees and cybersecurity professionals are embarrassed, and they are frustrating for the management as well.
Social engineering actors will be likely to target employees of companies with a strong online presence and who are managing digital assets at some point in their careers.
It is important to keep in mind that adopting a multilayered defense can make an attack so challenging that the most dangerous threat actors will surrender.
In order to protect both consumer accounts and corporate accounts, it is important to implement multifactor authentication (MFA) and use physical security tokens.
Network Security Checklist – Download Free E-Book