Coinbase, a popular cryptocurrency exchange, is an up-to-date and well-known online brand name. admit to violate.
The company decided to turn the breach report into an interesting mix of partial mistakes and handy advice for others.
As in the recent case on Reddit, the company couldn’t resist throwing out the S-word (elaborate), which again seems to follow the definition provided by Naked Secuity reader Richard Pennington in a recent commentary, where he noted: ‘Sophisticated’ is usually translated as ‘better than our defense’..
Many, if not most, breach reports agree that the threat and attacker are described as: elaborate or high gradeThese words are actually used relatively (i.e. too good for us) rather than absolutely (i.e. too good for everyone).
Coinbase confidently stated in the summary at the beginning of the article:
Fortunately, Coinbase’s cyber controls prevented attackers from gaining direct access to the system and prevented loss of funds or compromise of customer information.
But that apparent certainty is undermined by the admission in the very next sentence:
Only a limited amount of data from corporate directories was exposed.
Unfortunately, one of the tools, techniques, and procedures (TTPs) favored by cybercriminals is known in jargon as: lateral movementThis represents a trick to sell the information and access obtained as part of a much broader breach of system access.
That is, if cybercriminals can exploit user Y’s computer X to retrieve confidential company data from database Z (luckily limited to employee names, email addresses and phone numbers in this case)…
… Then, saying that an attacker “didn’t gain direct system access” sounds like a bit of an academic distinction. Even though the sysadmins among us understand the words to mean that criminals don’t end up with terminal prompts. Execute the desired system command.
Tips for Threat Defenders
Nonetheless, Coinbase has listed some of the cybercriminal tools, techniques, and procedures experienced in this attack, and this list provides some useful tips for threat defenders and XDR teams.
XDR is a buzzword these days. Extended Detection and Response), the simplest explanation is:
Extended detection and response means regularly and actively looking for hints that someone is doing bad things on your network, instead of waiting for traditional cybersecurity detections in your threat response dashboard to trigger a response.
Clearly, XDR doesn’t mean turning off traditional cybersecurity alerting and blocking tools, but by expanding the scope and nature of threat hunting, not only searching for cybercriminals once they’ve been definitively identified, but already arriving but not yet ready to attempt an attack. They are also wary of them while they are on their way.
Coinbase attack reimagined from the company’s somewhat staccato accountIt appears to be related to the next step.
- TELLTALE 1: SMS-based phishing attempt.
Employees were prompted via SMS to log in to read important company notifications.
For convenience, the message included a login link, but that link took you to a fake site that captured your username and password.
Obviously, this part of the attack was futile because the attacker did not know or think that a username and password must be used together to obtain two-factor authentication code (2FA). .
I don’t know how 2FA protected your account. Presumably Coinbase uses hardware tokens like Yubikeys, which don’t work just by providing a 6-digit code that you log from your phone into a browser or login app. Could the thief have requested the code at all? The employee may have discovered the phishing after providing the password but before revealing the final one-time secret required to complete the process. From the wording of the Coinbase report, we suspect that the scammers either forgot or couldn’t find a reliable way to capture the necessary 2FA data from the fake login screen. Don’t overestimate the power of app-based or SMS-based 2FA. Any 2FA process that relies on entering codes displayed on your phone into fields on your laptop offers little protection against attackers who are ready and willing to try your phished credentials immediately. These SMS or app-generated codes are usually limited only by time and have a validity period ranging from 30 seconds to a few minutes, so an attacker can usually collect the code and use it before it expires.
- TELLTALE 2: A call from someone claiming to be from IT.
This attack ultimately resulted in criminals obtaining a list of employee contact details, which we assume will be sold or provided to the cybercriminal underground for other scammers to abuse in future attacks.
Even if you’ve tried to keep your work contact details confidential, they may already be out there and widely known thanks to previously undetected breaches or past attacks on secondary sources, such as outsourcing. A company that once entrusted employee data.
- TELLTALE 3: Request to install remote access program.
In the Coinbase breach, the social engineer called during the second phase of the attack appears to have asked the victim to install AnyDesk and install ISL Online.
Do not install software as well as remote access tools (tools that allow an outsider to remotely view your screen and control your mouse and keyboard as if you were sitting in front of your computer). Even if you think you’re from your own IT department.
If you haven’t called them, you’re hardly sure who they are.
- TELLTALE 4: Request to install browser plug-in.
In the Coinbase case, the tool the scammers want victims to use is called EditThisCookie (a very simple way to retrieve secrets such as access tokens from the user’s browser). So someone you don’t know and have never met.
The browser plug-in has virtually unrestricted access to anything you type into your browser before your password is encrypted, and anything you see in your browser after it’s been decrypted.
Plugins can not only monitor navigation, but also invisibly modify what you type before it’s sent and what content is returned before it appears on the screen.
What should I do?
To iterate and evolve the advice given so far:
- Do not log in by clicking on the link in the message. You should know where to go on your own without having to get “help” from messages that can come from anywhere.
- Never take IT advice from callers. You need to know where to call to know the exact time to jump in and reduce the risk of being contacted by scammers who appear to be “helping” you.
- Do not install software under the direction of unverified IT personnel. Don’t even install software you think is safe. This is because the sender may direct you to a booby-trapped download that already has malware added to it.
- Don’t reply to messages or call to ask if it’s real. The caller or sender will simply tell you what you want to hear. Report suspicious contacts to your own security team as soon as possible.
In this case, Coinbase says its own security team was able to intervene within about 10 minutes of spotting an unusual pattern of activity (such as an unexpected logon attempt via a VPN service) using XDR technology.
This not only causes the attacked individual to immediately cut off all contact with the criminal before too much damage is done, but also allows the attacker to create more schemes, scams and so-called active enemy Trickery.
Make sure you too are part of the company’s XDR “sensor network”. technology tools Your security team is in place.
Allowing active defenders to do more things like “show VPN source address in access logs” greatly improves their ability to detect and respond to active attacks.
Learn more about active enemies
In real life, what actually works when cyber crooks launch an attack? How do you find and treat the root cause of your seizures instead of dealing with the obvious symptoms?
Learn more about XDR and MDR
Do you lack the time or expertise to handle cybersecurity threat response? Worried that cybersecurity will distract you from all the other things you need to do?
Explore Sophos Managed Detection and Response:
24/7 threat hunting, detection and response ▶
Learn more about social engineering
Join Rachel Tobac, DEFCON Social Engineering Capture the Flag Champion, for an engaging interview about how to detect and reject scammers, social engineers, and other sleazy cybercriminals.
Don’t see the podcast player below? listen directly from soundcloud.
.