Coinbase discloses its own case How hackers penetrated layer by layer through social engineering

Coinbase reveals how hackers used social engineering to penetrate layer by layer

Compilation|GaryMa Wu on blockchain

Original article link:

https://www.coinbase.com/blog/social-engineering-a-coinbase-case-study

Overview

Coinbase recently experienced a network security attack targeting one of its employees. Fortunately, Coinbase’s network security measures prevented the attacker from directly accessing the system and prevented any financial loss or customer information leakage. Only a portion of the data from our company directory was leaked. Coinbase believes in transparency, and we want our employees, customers, and the community to understand the details of this attack and share the tactics, techniques, and procedures (TTP) used by the attacker so that everyone can better protect themselves.

• 2023 Cryptocurrency Industry Hot Narratives and Current Situation (II) Inscriptions, Meme
• a16z Leading investment of $24 million in Blackbird when restaurants meet Web3
• 1kx Exploring the Design Space of Dynamic NFTs

Coinbase’s customers and employees are often targeted by scammers. The reason is simple: any form of currency, including cryptocurrencies, is a target for cybercriminals. It is easy to understand why so many attackers are constantly looking for quick ways to profit.

Dealing with such a large number of attackers and cybersecurity challenges is one of the reasons why I think Coinbase is an interesting workplace. In this article, we will discuss an actual network attack and related network events that we recently dealt with at Coinbase. While I am pleased to say that in this case, no customer funds or customer information were affected, there are still valuable lessons to be learned. At Coinbase, we believe in transparency. By openly discussing such security issues, I believe we can make the entire community safer and more security-conscious.

Our story begins on the evening of Sunday, February 5, 2023. Several employees’ phones started receiving text message alerts indicating that they needed to urgently log in through the provided link to receive important information. While most people ignored this unsolicited message, one employee believed it to be an important legitimate message and clicked on the link, entering their username and password. After “logging in,” the employee was prompted to disregard the message and thanked for their compliance.

What happened next was that the attacker used the legitimate Coinbase employee username and password to attempt remote access to Coinbase multiple times. Fortunately, our network security control system was prepared. The attacker could not provide the required multi-factor authentication (MFA) credentials and was thus blocked from entry. In many cases, this would be the end of the story. But this was not an ordinary attacker. We believe this individual is associated with a highly persistent and sophisticated campaign that has been targeting numerous companies since last year.

Approximately 20 minutes later, our employee’s phone rang. The attacker claimed to be from Coinbase’s Information Technology department and requested the employee’s assistance. Believing they were speaking with a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. This initiated a back-and-forth between the attacker and the increasingly suspicious employee. As the conversation progressed, the requests became more and more suspicious. Fortunately, no funds were taken, and no customer information was accessed or viewed. However, some limited contact information of our employees was obtained, including employee names, email addresses, and some phone numbers.

Luckily, our Computer Security Incident Response Team (CSIRT) was able to identify this issue within the first 10 minutes of the attack. Our security incident and management system alerted us of abnormal activity. Shortly after, our incident responders contacted the victims through our internal Coinbase messaging system to inquire about any abnormal behavior and usage patterns related to their accounts. Once the employees realized there was a serious problem, all communication with the attacker was immediately terminated.

Our CSIRT team promptly suspended all access privileges for the affected employees and initiated a comprehensive investigation. Due to our layered control environment, there was no financial loss or customer information leakage. The cleanup process was relatively swift, but there were still many lessons to be learned.

Anyone can fall victim to social engineering attacks

Humans are social creatures. We desire harmonious relationships and want to be part of a team. If you believe that you cannot be deceived by a well-planned social engineering attack, you are deceiving yourself. In the right circumstances, almost anyone can become a victim.

The most difficult attacks to resist are direct contact social engineering attacks, just like the one our employees experienced here. Attackers reach out to you directly through social media, your phone, or even worse, by physically entering your home or business premises. These attacks are not new. In fact, they have been happening since early human history. It is one of the attackers’ favorite strategies because it is effective.

So what do we do? How do we prevent this from happening?

I would say it is simply a training issue. Customers, employees, and everyone else need better training, they need to do better. This statement always has some truth to it. But as cybersecurity professionals, it cannot be an excuse every time we encounter such a situation. Study after study has shown that everyone can ultimately be deceived, no matter how alert, skilled, and prepared they are. We must always start from the premise that bad things can happen. We need to constantly innovate to weaken the impact of these attacks while striving to improve the overall experience of our customers and employees.

Can you share some Tactics, Techniques, and Procedures (TTP)?

Of course. Considering that this attacker is targeting a wide range of companies, we want everyone to know what we know. Here are some specific things we recommend you look for in your Enterprise Log/Security Information and Event Management System (SIEM):

Any web traffic to the following addresses, where * represents your company or organization name:

●sso-*.com

●*-sso.com

●login.*-sso.com

●dashboard-*.com

●*-dashboard.com

Any downloads or attempted downloads of the following remote desktop viewers:

● AnyDesk (anydesk dot com)

● ISL Online (islonline dot com)

Any attempt to access your organization through a third-party VPN service provider, especially Mullvad VPN.

Incoming calls/sms from the following service providers:

● Google Voice

● Skype

● Vonage / Nexmo

● Bandwidth dot com

Any attempt to install the following browser extensions:

● EditThisCookie

As a web defender, you should expect to see behavior such as attempts to log into enterprise applications using stolen credentials, cookies, or other session tokens from VPN services (such as Mullvad). There may also be attempts to enumerate applications that are customer-facing, such as customer relationship management (CRM) applications or employee directory applications. You may also see attempts to copy text-based data to free text or file-sharing services (such as riseup.net).

These conversations have never been easy. It is embarrassing for employees; frustrating for cybersecurity professionals and management. It is frustrating for everyone. But as a community, we need to have open discussions about such issues. If you are a Coinbase customer, always be skeptical of anyone asking you for personal information. Never share your credentials, never allow anyone remote access to your personal devices, and enable the strongest available forms of authentication. Consider using a physical security token to access your Coinbase account. If you do not trade frequently, consider using our Coinbase Vault solution to provide an additional layer of protection for your assets.

If you are an employee of Coinbase or any other company with an online presence, you will be targeted. Stay vigilant, especially when someone calls or contacts you. A simple best practice is to hang up and seek assistance using a trusted phone number or company chat technology. Never provide information or login credentials to someone who contacts you for the first time.

If you are a cybersecurity professional, we know that bad actors will always do bad things. But we should also remember that good people can make mistakes, and our best security controls can sometimes fail. Most importantly, we should always be willing to learn and strive to be better. We are all human. That is a constant factor that (hopefully) will never change.

Stay safe!

We will continue to update Blocking; if you have any questions or suggestions, please contact us!