Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year.
Leveraging smishing and vishing, the attackers tried to trick Coinbase employees into sharing login credentials and installing remote desktop applications, and were only partly successful: the company’s incident response team quickly reacted to “unusual activity” alerts and, in the end, the attackers were unable to access customer information or steal funds.
How the Coinbase cyberattack unfolded
The attack started on a Sunday, February 5th, 2023, when a number of Coinbase employees received a text message saying that they needed to urgently log into the company systems via a provided link, so they could receive an important message.
Only one of the targeted employees fell for the ruse and entered their credentials into the provided phishing page. Armed with that info, the attackers tried to access company systems, but because they didn’t have the second authentication factor at hand, they were unsuccessful.
So they tried another tactic: getting the employee on the phone by impersonating Coinbase’s IT staff, convincing them to log into their workstation, and to install software that would allow the attackers to access the system without needing access credentials.
“Fortunately, our Computer Security Incident Response Team (CSIRT) was on top of this issue within the first 10 minutes of the attack,” Coinbase’s CISO Jeff Lunglhofer explained.
“Our CSIRT was alerted to unusual activity by our Security Incident and Event Management (SIEM) system. Shortly thereafter, one of our incident responders reached out to the victim via our internal Coinbase messaging system inquiring about some of the unusual behavior and usage patterns associated with their account. Realizing something was seriously wrong, the employee terminated all communications with the attacker. Our CSIRT team immediately suspended all access for the victimized employee and launched a full investigation.”
In the end, the attackers managed to get their hands on some employees’ names, e-mail addresses, and phone numbers, which they may end up using for social engineering attacks at a later date.
TTPs and risk mitigation advice
Lunglhofer did not share which second layer of authentication Coinbase employees use or whether the attackers even tried to get the employee to share their additional authentication factor – but having MFA set up blocked that avenue of attack, and the attackers were forced to switch to vishing.
I don’t doubt that the affected employees will be made to go through additional training to reinforce their awareness of tactics used in social engineering attacks but, as he noted, under the right circumstances nearly anyone can be a victim.
“Research shows again and again that all people can be fooled eventually, no matter how alert, skilled, and prepared they are,” he added. That’s why this type of training is just one of the many security layers companies should implement.
Coinbase has shared the tactics, techniques, and procedures (TTPs) employed by attackers so other organizations’ security teams can be on the lookout for. They include:
- Web traffic pointing to domains that combine the company name with the words sso, login, or dashbord, but do not belong to the company
- Attempted downloads of remote desktop apps like AnyDesk or ISL Online or installlation or browser extensions that allow editing cookies (e.g., EditThisCookie)
- Attempted access to company assets from a third party VPN provider
- Phone calls or text messages from services like Google Voice, Skype, Vonage (formerly Nexmo), etc.
“As a network defender you should expect to see login attempts to corporate applications from VPN services (e.g. Mullvad), using stolen credentials, cookies, or other session tokens. Attempts to enumerate customer support-focused applications, such as customer relationship management (CRM) applications, or employee directory applications. And you may see attempts to copy text-based data to free text or file sharing services (e.g., riseup.net),” he added.
He also advised employees of any and all companies with an online presence to never share any information with someone who reached out to them first. “A simple best practice is to hang up the phone and use a trusted phone number or company chat technology to reach out for help.”