Cryptocurrency exchange Coinbase has described how it was targeted by, and foiled, "a sophisticated, highly targeted, thought out attack" aimed to access its systems and presumably to make off with some of the billions of dollars'-worth of cryptocurrency it holds.
In an Aug. 8 blog post that sets out in technical detail how the plot unfolded and how the exchange countered the attempted theft, Coinbase said the hackers used a combination of means to try and hoodwink staff and access vital systems – methods that included spear phishing, social engineering and browser zero-day exploits.
The attack had started on May 30, with a dozen staff being sent emails that purported to be from Gregory Harris, a Research Grants Administrator at the University of Cambridge. Far from random, these cited the employees' past histories and requested help with judging projects competing for an award.
The attackers developed email conversations with several staffers, holding back from sending any malicious code until June 17, when "Harris" sent another email, containing a URL that, when opened in Firefox, would install malware capable of taking over someone’s machine.
Coinbase said that, "within a matter of hours, Coinbase Security detected and blocked the attack."
The first stage of the attack, the post indicates, first identified the OS and browser on the intended victims' machines, displaying a "convincing error" to macOS users who were not using the Firefox browser, and prompting them to install the latest version of the app.
Once the emailed URL was visited with Firefox, the exploit code was delivered from a different domain, that had been registered on May 28. It was at this point that the attack was identified, "based on both a report from an employee and automated alerts," Coinbase said.
Its analysis found that stage two would have seen another malicious payload delivered in the form of a variant of the Mac-targeting backdoor malware called Mokes.
Notably, the former was discovered by Samuel Groß of Google’s Project Zero at the same time as the attacker, though Coinbase played down the likelihood that the hacking team had gained the information on the vulnerability via that source. Groß addresses that in a Twitter thread.
In another sign of the sophistication of the hacking team – labeled by Coinbase as CRYPTO-3 or HYDSEVEN – it took over or created two email accounts and created a landing page at the University of Cambridge.
After discovering the single affected computer at the company, Coinbase said it revoked all credentials on the machine, and locked all the staffer's accounts.
"Once we were comfortable that we had achieved containment in our environment, we reached out to the Mozilla security team and shared the exploit code used in this attack," the exchange said. "The Mozilla security team was highly responsive and was able to have a patch out for CVE-2019–11707 by the next day and CVE-2019–11708 in the same week."
Coinbase also contacted Cambridge University to report and help fix the issue, as well as to gain more information on the attacker’s methods.
Coinbase CEO Brian Armstrong via CoinDesk archives
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.