Coinbase Hacked: Confirms sensitive data stolen after hackers breached internal systems
Coinbase becomes the latest victim of a cyber attack in which an unidentified threat actor made significant efforts to breach the internal systems of one of the world’s leading cryptocurrency exchange platforms through a phishing attack.
In a blog posted on its website, Coinbase confirmed data from our corporate directory was exposed after cyber attackers succeeded in breaching its system. In a statement Coinbase said:
“Coinbase recently experienced a cybersecurity attack that targeted one of its employees. Fortunately, Coinbase’s cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Only a limited amount of data from our corporate directory was exposed.”
Although Coinbase said that customer funds, as well as customer data, are secure, cybersecurity firm Group-IB added that the threat actor stole almost 1,000 corporate access logins by sending phishing links over SMS to company employees.
The cybercriminal initially targeted Coinbase employees by sending five phishing SMS messages urging them to urgently log into their company accounts and read an important message. The messages contained a link that mimicked the Coinbase corporate login page, but it was actually a malicious landing page designed to steal sensitive data.
While most employees were not fooled by the phishing, one employee fell for the scam and gave the hackers their login credentials. However, the account was protected with multi-factor authentication (MFA), which limited the hackers’ actions. Nonetheless, they didn’t give up and called the victim, pretending to be the company’s IT department. They instructed the victim to log in to the workstation and follow different steps.
Coinbase reported that it took its CSIRT (Computer Security Incident Response Team) approximately ten minutes to identify the attack and contact the victim regarding the suspicious activity. The victim promptly recognized they were being defrauded and ended communication with the attacker.
The current campaign shares similarities with last year’s Scatter Swine/0ktapus phishing campaigns, which cyber experts from Group-IB disclosed resulted in almost 1,000 stolen corporate access logins through phishing SMS messages. Despite this, the responsible party for the recent attack remains unknown.
Below, Coinbase explained how the attack happened.
“Tl;dr – Coinbase recently experienced a cybersecurity attack that targeted one of its employees. Fortunately, Coinbase’s cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Only a limited amount of data from our corporate directory was exposed. Coinbase believes in transparency, and we want our employees, customers, and the community to hear the details of this attack and to share the Tactics, Techniques, and Procedures (TTPs) used by this adversary so everyone can better protect themselves.
Coinbase customers and employees are frequent targets of fraudsters. The reason is simple – currency in any form, including crypto, is exactly what cybercriminals are after. It’s not hard to understand why so many adversaries are constantly looking for ways to make a quick profit.
Dealing with such a large number of adversaries and cybersecurity challenges is one of the reasons why I find Coinbase to be such an interesting place to work. In this article we will discuss an actual cyber attack and associated cyber incident we recently dealt with here at Coinbase. While I am very happy to say that in this case no customer funds or customer information were impacted, there are still valuable lessons to be learned. At Coinbase we believe in transparency. By talking openly about security issues like this I believe we make the whole community safer and more security aware.
Our story starts late in the day on Sunday February 5th, 2023. Several employee mobile phones start to alert with SMS messages indicating that they need to urgently log in via the link provided to receive an important message. While the majority ignore this unprompted message – one employee, believing that it’s an important and legitimate message, clicks the link and enters in their username and password. After “logging in”, the employee is prompted to disregard the message and thanked for complying.
What happened next was that the attacker, equipped with a legitimate Coinbase employee username and password, made repeated attempts to gain remote access to Coinbase. Fortunately our cyber controls were ready. The attacker was unable to provide the required Multi Factor Authentication (MFA) credentials – and was blocked from gaining access. In many cases, that would be the end of the story. But this wasn’t just any attacker. We believe this individual is associated with a highly persistent and sophisticated attack campaign that has been targeting scores of companies since last year.
About 20 minutes later our employee’s mobile phone rang. The attacker claimed to be from Coinbase corporate Information Technology (IT) and they needed the employee’s help. Believing that they were speaking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. That began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious. Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers.
Fortunately, our Computer Security Incident Response Team (CSIRT) was on top of this issue within the first 10 minutes of the attack. Our CSIRT was alerted to unusual activity by our Security Incident and Event Management (SIEM) system. Shortly thereafter, one of our incident responders reached out to the victim via our internal Coinbase messaging system inquiring about some of the unusual behavior and usage patterns associated with their account. Realizing something was seriously wrong, the employee terminated all communications with the attacker.
Our CSIRT team immediately suspended all access for the victimized employee and launched a full investigation. Because of our layered control environment, there were no funds lost and no customer information was compromised. The clean-up was relatively quick, but still – there are a lot of lessons to be learned here.
Anyone can be social engineered
Humans are social creatures. We want to get along. We want to be part of the team. If you think you can’t be fooled by a well executed social engineering campaign – you are kidding yourself. Under the right circumstances nearly anyone can be a victim.
The most difficult attack of all to resist is a direct contact social engineering attack, like the one our employee suffered here. This is where the attacker directly contacts you via social media, your mobile phone, or even worse, walks up to your home or place of business. These attacks aren’t new. In fact, these kinds of attacks have certainly been happening since the early days of humanity. It’s a favorite tactic of adversaries everywhere – because it works.
So what do we do? How do we stop this from happening?
I would like to say this is just a training problem. That customers, employees and people everywhere need to be better trained. They need to do better – there will always be some truth to that. But as cybersecurity professionals, that can’t be the solution excuse we reach for every time this happens. Research shows again and again that all people can be fooled eventually, no matter how alert, skilled, and prepared they are. We must always work from the assumption that bad things will happen. We need to be constantly innovating to blunt the effectiveness of these attacks while also striving to improve the overall experience of our customers and employees.
Can you share any Tactics, Techniques, and Procedures (TTPs)?
We sure can. Given the broad scope of companies being targeted by this actor we want everyone to know what we know. Here’s a few specific things we recommend you look for in your corporate logs / SIEM:
Any web traffic from your technology assets to the following addresses, where * represents your company or organization name:
sso-*.com
*-sso.com
login.*-sso.com
dashboard-*.com
*-dashboard.com
Any downloads or attempted downloads of the following remote desktop viewers:
AnyDesk (anydesk dot com)
ISL Online (islonline dot com)
Any attempts to access your organization from a third party VPN provider, specificallyMullvad VPN.
Incoming phone calls / text messages from the following providers:
Google Voice
Skype
Vonage/Nexmo
Bandwidth dot com”