Coinbase cyberattack targeted employees with fake SMS alert

Coinbase cryptocurrency exchange platform has disclosed that an unknown threat actor stole the login credentials of one of its employees in an attempt to gain remote access to the company’s systems.

As a result of the intrusion the attacker obtained some contact information belonging to multiple Coinbase employees, the company said, adding that customer funds and data remained unaffected.

Coinbase’s cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Only a limited amount of data from our corporate directory was exposed – Coinbase

Coinbase has shared the findings of their investigation to help other companies identify the threat actor’s tactics, techniques, and procedure (TTPs) and set up appropriate defenses.

Attack details

The attacker targeted several Coinbase engineers on Sunday, February 5 with SMS alerts urging them to log into their company accounts to read an important message.

While most employees ignored the messages, one of them fell for the trick and followed the link to a phishing page. After entering their credentials, they were thanked and prompted to disregard the message.

In the next phase, the attacker tried to log into Coinbase’s internal systems using the stolen credential but failed because access was protected with multi-factor authentication (MFA).

Roughly 20 minutes later, the attacker moved to another strategy. They called the employee claiming to be from the Coinbase IT team and directed the victim to log into their workstation and follow some instructions.

“Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers” – Coinbase

Coinbase’s CSIRT detected the unusual activity within 10 minutes since the start of the attack and contacted the victim to inquire about unusual recent activities from their account. The employee then realized something was wrong and terminated communications with the attacker.

Defending

Coinbase has shared some of the observed TTPs that other companies could use to identify a similar attack and defend against it: 

  • Any web traffic from the company’s technology assets to specific addresses, including sso-.com, -sso.com, login.-sso.com, dashboard-.com, and *-dashboard.com.
  • Any downloads or attempted downloads of specific remote desktop viewers, including AnyDesk (anydesk dot com) and ISL Online (islonline[.]com)
  • Any attempts to access the organization from a third-party VPN provider, specifically Mullvad VPN
  • Incoming phone calls/text messages from specific providers, including Google Voice, Skype, Vonage/Nexmo, and Bandwidth
  • Any unexpected attempts to install specific browser extensions, including EditThisCookie

Will Thomas of the Equinix Threat Analysis Center (ETAC) found some additional Coinbase-themed domains that match the company description, which were possibly used in the attack:

  • sso-cbhq[.]com
  • sso-cb[.]com
  • coinbase[.]sso-cloud[.]com

It is worth noting that the attacker’s modus operandi is similar to the what was observed during the Scatter Swine/0ktapus phishing campaigns last year.

According to cybersecurity company Group-IB, the threat actor stole almost 1,000 corporate access logins by sending phishing links over SMS to company employees.

0ktapus phishing attack
0ktapus phishing attack
source: Group-IB

Employees of companies that manage digital assets and have a strong online presence are bound to be targeted by social engineering actors at some point.

Adopting a multi-layered defense can make an attack sufficiently challenging for most threat actors to give up. Implementing MFA protection and the use of physical security tokens can help protect both consumer and corporate accounts.

Source: www.bleepingcomputer.com