Crypto exchange Coinbase has reported a recent cyber attack that targeted one of its employees, resulting in the theft of login credentials and the exposure of some contact information belonging to multiple employees. However, the company’s cyber controls prevented the attacker from gaining direct system access, and no customer data or funds were compromised.
“Coinbase recently experienced a cybersecurity attack that targeted one of its employees. Fortunately, Coinbase’s cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Only a limited amount of data from our corporate directory was exposed.”Coinbase Team
How the attack occurred
According to Coinbase, on February 5, several employees received SMS messages indicating they urgently needed to log in to receive an important message. While most employees ignored the message, one employee clicked the link and entered their login information, thinking it was a legitimate message. The attacker, equipped with a legitimate Coinbase employee username and password, made repeated attempts to gain remote access to the company but could not provide the required Multi-Factor Authentication (MFA) credentials, which blocked their access.
Subsequently, the attacker called the employee and claimed to be from Coinbase’s corporate Information Technology (IT) department, seeking the employee’s help. The employee, believing the caller to be a legitimate Coinbase IT staff member, logged into their workstation and followed the attacker’s instructions. However, the employee became increasingly suspicious as the conversation progressed, and ultimately the requests became too suspicious.
Coinbase reassured its customers that no funds or customer information were compromised, and only a limited amount of data from the corporate directory was exposed. The incident highlights the importance of strong cyber controls and employee awareness in preventing successful cyber attacks.
Coinbase shared some key tactics, techniques, and procedures (TTPs) that other crypto companies can use to identify and defend against a similar attack.
The TTP includes monitoring web traffic from the company’s technology assets to specific addresses, such as sso-.com, -sso.com, login.-sso.com, dashboard-.com, and *-dashboard.com. Additionally, monitoring downloads or attempted downloads of specific remote desktop viewers, including AnyDesk and ISL Online, and any attempts to access the organization from a third-party VPN provider, specifically Mullvad VPN is vital, according to Coinbase.
Furthermore, Coinbase also shared that crypto companies should be vigilant of incoming phone calls/text messages from specific providers, including Google Voice, Skype, Vonage/Nexmo, and Bandwidth. They should also monitor unexpected attempts to install specific browser extensions, including EditThisCookie.
According to Will Thomas of the Equinix Threat Analysis Center (ETAC), some additional Coinbase-themed domains, such as sso-cbhq[.]com, sso-cb[.]com, and coinbase[.]sso-cloud[.]com, were possibly used in the attack. It is essential to know that the attacker’s modus operandi is similar to what was observed during the Scatter Swine/0ktapus phishing campaigns last year.
Group-IB, a cybersecurity company, also reported that the threat actor stole almost 1,000 corporate access logins by sending phishing links over SMS to company employees.