As Coinbase is the most popular cryptocurrency exchange in the U.S., it’d be the delight of hackers across the world to penetrate its infrastructure. One such attacker or group of attackers tried to do exactly that this week, using not one but two critical zero-day vulnerabilities affecting Mozilla’s popular Firefox web browser.
Coinbase security expert Philip Martin confirmed as much on Wednesday, describing in a post-mortem Twitter thread how the malicious agent used a reported and initially unreported zero-day vulnerability in an attempt to “target Coinbase employees.”
Mozilla had formally addressed the vulnerabilities by June 18th. Google Project Zero security researcher Samuel Groß reportedly discovered the initial bug as early as April 2019.
Moving forward, the aforementioned Martin said the Coinbase security team is currently analyzing the attacker’s infrastructure and methodologies in an attempt to more clearly understand what happened and — better yet — who might be responsible.
2/ We walked back the entire attack, recovered and reported the 0-day to firefox, pulled apart the malware and infra used in the attack and are working with various orgs to continue burning down attacker infrastructure and digging into the attacker involved.
— Philip Martin (@SecurityGuyPhil) June 19, 2019
Martin added that Coinbase had reached out and was working with other unspecified cryptocurrency organizations that the exchange thought were targeted in the nefarious campaign. He noted no customers appeared to have been affected by the incident and said Coinbase was willing to collaborate with other stakeholders.
4/ If you believe you have been impacted by this attack or you have more intel to share and want to collaborate with us on a response, please reach out to security@coinbase.com. IOCs follow.
— Philip Martin (@SecurityGuyPhil) June 19, 2019
Luckily for everyone involved, the episode didn’t take a turn for the catastrophic, i.e. Coinbase employee accounts being commandeered to steal cryptocurrency or users’ data. But the attempted attack serves as yet another reminder that cryptocurrency exchange employees are being increasingly targeted by hackers, for they hold the keys — pun intended — to their kindgoms.
Malware Found on Coincheck Employee Computers
Whoever the Coinbase attacker was, they failed to penetrate the exchange’s infrastructure. However, not every platform has been so lucky in recent years — consider Japanese cryptocurrency exchange Coincheck, for example.
Moreover, experts now think they might know how the January 2018 Coincheck hack occurred.
New evidence suggests the hack — which has proved to be the largest in the cryptoeconomy to date — may have been conducted via Russian malware placed on employee computers.
That’s per new reporting out this week that revealed how the viruses of Netwire and Mokes, both of which originate from Russia’s nook of cyberspace, have been discovered on the computers of Coincheck employees.
It’s still not clear who was using the viruses, but cybersecurity experts have said the presence of Netwire and Mokes suggests the culprits may have been Russian, or in the very least, Eastern Europeans with familiarity with Russian tools.
Of course, it’s entirely possible the Coincheck hackers weren’t Russians at all. The usage of Netwire and Mokes may have been a shrewd feint by whoever was responsible. Ever since the attack took place, speculation has swirled that the North Korean hacker team Lazarus Group was involved. In any case, Lazarus Group’s specialized “Bluenoroff” team presumably has the requisite skills and tools to have compromised Coincheck.
The January 2018 hack was massive, though it only affected the exchange’s NEM (XEM) hot wallet. The attacker was able to make off with 520 million XEM, which were then worth $530 million USD.
Exchanges Have to Be on Their Toes
“How did the hackers know our risk management rules so precisely,” Binance chief operating officer Changpeng Zhao wrote in a security recap after Binance was hacked out of 7,000 bitcoin this spring. “Do we have a mole?”
It’s unclear if Zhao and his colleagues ever got to the bottom of those questions with any confidence, but even that they were posed shows how ripe and difficult to deal with employee attack vectors are.
Binance has since optimized its security practices that much further, but the fact remains: attackers will continue to probe it and other major exchanges for any possible weak spots.