One of the most popular Exchange platforms in the community, Coinbase, has revealed that it has been the target of a carefully targeted and very well thought out attack, with which it intended to access the platform’s systems. The company said they succeeded in frustrating the attack and protecting user cryptocurrencies.
It has been reported that the attack on Coinbase was based on a million dollar cryptocurrency hit for the Exchange, where billions of $ valued in these digital assets would be lost.
Coinbase said that during the attack the hackers used a combination of methods to try to deceive staff members and access vital systems, according to a blog post, which sets out technical details about how events were triggered and how The exchange house countered the theft. These mentioned methods included data theft, social engineering and exploits in the search engine with a zero day or zero day attack.
The attack began on May 30, when dozens of staff members received emails that were allegedly sent by Gregory Harris, a research scholarship administrator at the University of Cambridge. Far from being random, these emails cited stories of employees’ past and asked for help in judging projects competing for a prize.
In this regard, Coinbase commented:
“This email came from a legitimate Cambridge domain. It contained no malicious elements, passed the spam detectors, and referred to the background of the recipients. During the following weeks, similar emails were received. Nothing seemed wrong.”
The Exchange reported that the hacker was in conversations through email with several staff members, keeping out from sending any kind of malware until June 17, when “Harris” decided to send an infected email with a dangerous URl that, once it is opened in Firefox, puts a malicious code capable of taking control over any computer.
Coinbase said that “in a matter of hours, the security of the exchange detected and blocked the attack.” This demonstrates the importance of having a good security system that can alert (in time) the intrusion of hackers, thus preventing large losses of capital within the platform.
According to the publication, the first phase of the attack first identified the operating system and the search engine on the victim’s machine, displaying a convincing error in the Mac operating system of users who were not using the Firefox browser, urging them to install the Latest version of the application.
Once the email URL was visited with the Firefox browser, the cheat code was sent from a different domain, which had been registered on May 28. At this point, it is safe to say that the attack was identified, “based on both an employee’s report and automatic alerts,” Coinbase said.
His analysis revealed that in the second stage another malicious load would have been delivered that would be sent in the form of a malware variant for Mac, called Mokes.
In particular, the first was discovered by Samuel Groß, of the Google Zero project, at the same time that the attack was taking place. Even so, Coinbase minimized the likelihood that the pirate team had obtained information about the vulnerability through this source. Groß referred to this in a Twitter thread.
Another example of how sophisticated the attacking pirate team is, labeled by Coinbase as CRYPTO-3 or HYDSEVEN, is that they took or created two email accounts and created a reception page on the Cambridge University website.
“We do not know when the attackers gained access to Cambridge accounts, or if the accounts were created or stolen. As others may have noticed, the identities associated with the email accounts have almost no online presence, and the profiles in LikedIn are almost completely false.”
After discovering the only infected computer in the company, Coinbase said it revoked all the credentials of the machine, and blocked all personnel accounts.
“Once we were sure that we had achieved the containment of our environment, we went to the Mozilla security team and shared the deception code used in this attack,” the exchange stated, also ensuring that the Mozilla Firefox security team did A good job of acting responsively and developing a CVE-2019-11707 patch for the next day, and one for the CVE-2019-11708 in the same week.
Coinbase also contacted the University of Cambridge to report the case and help them solve the problems, as well as to obtain more information about the attackers’ method.
This attempt is only part of a long list of security breaches within different Exchange platforms, and unfortunately, not all have been able to detect the problem in time. Binance, led by Changpeng Zhao, has also received a couple of hard hits with hackers. The first major case of hacking in Binance resulted in the loss of 7,000 BTC and extortion of 300 BTC was recently reported, using the alleged KYC user data to threaten the Exchange.