Cryptocurrency platform Coinbase has recently reported a cyber attack on its systems, where an unknown attacker stole the credentials of one of its employees in an attempt to gain remote access to the company’s systems. This serves as a stark reminder of the ongoing threat posed by cybercriminals to companies and organizations of all sizes.
The attack, which occurred on February 5, saw the cybercriminal obtain the contact information of several Coinbase employees, including their names, phone numbers, and email addresses. However, the funds and customer data remained unaffected.
Fortunately, Coinbase’s robust cybersecurity measures prevented the hacker from gaining direct access to the system and prevented any loss of funds or compromised information about customers. Only a limited amount of data from the Coinbase corporate catalog was disclosed.
Coinbase has taken an admirable step in sharing the results of its investigation, to help other companies identify the tactics, methods, and procedures of the attacker (TTPs) and establish appropriate protection. Employee training and the use of multi-factor authentication (MFA) were critical factors in preventing the attacker from gaining access to sensitive systems and data.
The attack began when the attacker sent SMS messages to several Coinbase engineers, attempting to convince them to read an important notice through a phishing page. Although most of the employees ignored the messages, one employee fell for the trick and entered their credentials.
Following this, the hacker attempted to enter the internal systems of Coinbase using stolen credentials, but access was protected by MFA, making it impossible for the attacker to get past this extra layer of security.
Approximately 20 minutes later, the attacker then called the employee of the company, introducing themselves as an IT specialist at Coinbase. They then convinced the victim to enter their workstation and perform some actions. Coinbase’s CSIRT team detected unusual activity for ten minutes from the start of the attack and contacted the victim to learn about the unusual actions from the account. The employee quickly realized that a cyber attack was in progress, ceased all communications with the attacker, and reported the incident to Coinbase’s security team.
It is worth noting that the attacker’s actions in this incident are similar to what was observed during the phishing campaign of 0ktapus last year. The attacker used a combination of SMS messages, phone calls, and phishing pages to target Coinbase employees. Regular employee training on cybersecurity best practices can help employees recognize and avoid such attacks, reducing the risk of successful breaches.
The recent attack on Coinbase serves as a stark reminder of the ongoing threat posed by cybercriminals and highlights the importance of implementing robust cybersecurity measures. Coinbase’s decision to share the results of its investigation will help other companies identify and defend against similar attacks, and underscores the importance of working together and sharing information to stay ahead of cybercriminals and protect against potential breaches.