Coinbase thwarts multiple zero day targeted attacks

[PrimeNumber7]

https://blog.coinbase.com/responding-to-firefox-0-days-in-the-wild-d9c85a57f15b?gi=9fcadcfc2ba8

Coinbase announced in the above blog post that they were the subject of a targeted, sophisticated attack involving two zero day attacks involving Firefox.

In short, the attackers took over an email address in the Cambridge University domain, and sent emails to multiple Coinbase employees. After having an extended conversation with the employees, the attacker sent a link to a malicious site containing Javascript code that allowed for multiple zero day exploits to be executed on the victims machines. Coinbase quickly detected the exploits, revoked system access to those affected and once they were confident their systems and networks were safe, reported the exploits to Firefox. 

What do you think? Does this give you more or less confidence in exchanges in general? In Coinbase? In other major exchanges?

[1715023234]

1715023234

[1715023234]

1715023234

[1715023234]

1715023234

[mk4]

• Compromised Cambridge accounts
• Firefox vulnerabilities
• Specifically targeted towards Coinbase employees

This definitely looks like a very planned attack. The hackers aren't playin around. Comes to show how deep and serious they need to go to have a decent chance of attacking these bigger exchanges. Meanwhile, QuadrigaCX..

To answer your question, I'd say I'd probably give some props to Coinbase for quickly containing the attack and successfully preventing any damage, even though I have no idea what the hackers would be able to obtain if the attack became successful. As for exchanges in general? I've always thought some of the big exchanges are really taking security really really seriously. I still won't take any chances though.

[PrimeNumber7]

This definitely looks like a very planned attack.

The amount of time spent planning the attack was likely very short because one of the vulnerabilities was only possible for a short time before the attack was launched. It was nevertheless very well thought out.

The initial email was sent to several hundred employees while the malicious link was only sent to a handful of employees. This leads me to believe (as was speculated in Coinbases blog post) that the initial email was in part designed to determine how much access each employee has. The goal was likely to either steal coin from their hot wallet or change deposit addresses displayed to customers.

I would say that most would probably be surprised as to how much effort goes into security on major exchanges. It isn’t every day that you hear that a company detected a zero day vulnerability and was able to thwart it.

[mk4]

Well, the vulnerability was only there for a short period because Coinbase reported it immediately to Mozilla to get it fixed. Also remember that the attackers had to get access to Cambridge University emails. Unless the security is just simply that bad, it probably should've take a bit of time for them to gain access.

[gentlemand]

What do you think? Does this give you more or less confidence in exchanges in general? In Coinbase? In other major exchanges?

I can't say I'm exactly blown away by their forensic skills.

This is just the same old hacker MO, trick people into installing some malware, with perhaps a little more patience and thought than usual.

And I'm not reassured. How does some average employee computer lead to exchange funds getting lost? Why is there any type of possible link between that computer and exchange funds?

[mk4]

And I'm not reassured. How does some average employee computer lead to exchange funds getting lost? Why is there any type of possible link between that computer and exchange funds?

Same thoughts. I don't think the hacker could directly access something that important through an employees computer. I'm guessing more of that the hacker could probably gain access to a certain employees computer, and probably use their emails to send Coinbase phishing links to a small email list that the employee has access to.

[figmentofmyass]

this story doesn't increase my confidence in coinbase at all. it just makes me think they're assclowns for publishing this embarrassing PR puff piece. in fact, it gives me the distinct feeling that coinbase is gonna get hacked in the future.

worth cross-posting:

doesn't sound very sophisticated at all

"our employees, who have externally reachable email and sufficient account rights to handle funds, did not fall for a phishing email"

Coinbase are not just lying scumbags (they have a history of lying to customers), they're also hilariously incompetent while actually attempting a positive PR story. Quite frankly, ROFL

seriously, did anybody read the phishing emails? they literally read like a nigerian bank wire scam. any employee who would fall for those is a literal retard. and the blog further implies that compromising these employee machines constituted a serious risk.

security-first culture at coinbase? i think not!

[LeGaulois]

It doesn't change my opinion, negatively or positively, Coinbase isn't the first and not the last. At least no bitcoins were drained out. The method used is tricky but it happens a lot to different companies

Just a clarification: some university portals provide email .edu addresses accessible to everyone and not only to students. It has become rarer with all abuses but certainly still possible. It shouldn't be difficult to find one for 5 bucks

[PrimeNumber7]

Well, the vulnerability was only there for a short period because Coinbase reported it immediately to Mozilla to get it fixed.

One of the vulnerabilities was only possible for a short time because a change to firefox was made a short time before the attack was launched that made the vulnerability possible. I suspect many vulnerabilities are possible for a long time, but go undiscovered and unexploited for most of the life of the vulnerability.

How does some average employee computer lead to exchange funds getting lost? Why is there any type of possible link between that computer and exchange funds?

My understanding is many employees were sent the initial email, and the exploit was sent to a small number of employees in a subsequent email. The attacker presumably communicated with the employees to gauge how much access each employee had. There are presumably employees that have access to the servers that hold the private keys to their hot wallet.