Coinbase, a prominent cryptocurrency exchange based in the United States, recently disclosed a cybersecurity incident that compromised the personal information of some of its employees.
On February 5, 2023, the company reported that its robust cyber controls successfully thwarted the attacker from gaining direct access to its systems, effectively preventing any potential loss of funds or customer data breaches. Despite these safeguards, some data, including employee names, email addresses, and phone numbers, were exposed.
The attack was initiated through an SMS phishing campaign, specifically designed to mislead employees into logging into their accounts under the pretense of accessing critical communications. One employee inadvertently provided their login credentials on a counterfeit webpage created by the attackers.
Following the initial credential theft, the attacker made multiple unsuccessful attempts to breach Coinbase’s systems, hindered by the multi-factor authentication measures in place. In a bid to manipulate the situation further, the perpetrator contacted the employee directly, posing as a member of the Coinbase Information Technology division and instructing them to perform specific actions on their workstation.
This interaction led to a growing suspicion from the employee, as the requests became increasingly unusual. Fortunately, Coinbase’s incident response team was alerted within minutes of the incident and promptly reached out to the employee, advising them to terminate all communications with the attacker.
While Coinbase did not disclose the precise instructions imparted by the threat actor, they emphasized the importance of vigilance against similar attempts to install remote access software, including legitimate tools like AnyDesk, ISL Online, and Google Chrome extensions such as EditThisCookie. The organization also urged caution regarding unsolicited calls and messages from providers like Google Voice and Skype.
It is believed that the incident may be connected to a larger phishing campaign known as 0ktapus (or Scatter Swine), which previously targeted more than 130 organizations, including notable companies like Twilio and Cloudflare.
This event highlights critical concern areas in cybersecurity, particularly in the realms of initial access and social engineering tactics as outlined in the MITRE ATT&CK framework. The phishing methods employed illustrate a sophisticated approach to initial access and emphasize the need for robust employee training in recognizing and mitigating such threats. With the growing prevalence of similar attacks, businesses must remain proactive in their cybersecurity measures to safeguard against these evolving threats.
In conclusion, Coinbase’s experience serves as a critical reminder for all organizations regarding the potential vulnerabilities that can arise from social engineering attacks and the importance of maintaining a vigilant cybersecurity posture.
