Cryptocurrency exchange Coinbase has revealed that an unknown actor stole the login credentials of one of its employees in an attempt to access company systems remotely.

As a result of the breach, the attacker obtained contact information belonging to several Coinbase employees, the company said, adding that customer funds and data were not affected.

Coinbase has shared the findings of its investigation to help other companies identify the threat actor’s tactics, techniques, and procedures (TTPs) and implement appropriate defenses.

Attack Details

The attacker targeted several Coinbase engineers on Sunday, February 5 with SMS alerts prompting them to log into their corporate accounts to read an important message.

While most employees ignored the messages, one fell for the trap and followed the link to a phishing page. After entering their credentials, they were thanked and asked to ignore the message.

In the next phase, the attacker attempted to log into Coinbase’s internal systems using the stolen credentials, but failed because access was protected by multi-factor authentication (MFA).

About 20 minutes later, the attacker switched to another strategy. They called the employee claiming to be from the Coinbase IT team and asked the victim to log into his workstation and follow some instructions.

Coinbase’s CSIRT detected the unusual activity within 10 minutes of the attack beginning and contacted the victim to inquire about recent unusual activity on their account. The employee then realized that something was wrong and ended communications with the attacker.

Defend

Coinbase shared some of the observed TTPs that other companies could use to identify and defend against a similar attack:

• All web traffic originating from company technology resources to specific addresses, including sso-.com, -sso.com, login.-sso.com, dashboard-.com, and *-dashboard.com.
• Any download or attempt to download specific remote desktop viewers, including AnyDesk (anydesk dot com) and ISL Online (islonline[.]com)
• Any attempt to access the organization from a third party VPN provider, especially Mullvad VPN
• Incoming phone calls/texts from specific providers including Google Voice, Skype, Vonage/Nexmo and Bandwidth
• Any unexpected attempts to install specific browser extensions, including EditThisCookie

Employees of companies that manage digital assets and have a strong online presence are likely to be targeted by social engineering actors at some point.

Adopting a layered defense can make an attack difficult enough that most cybercriminals give up. Implementing MFA protection and using physical security tokens can help protect individual and business accounts.