Coinbase explains background to June zero-day Firefox attack
Targeted phishing attacks, it is often said, can be difficult for even the wariest organisations to defend themselves against.
But how difficult?
This week’s detailed post-incident analysis of a recent, highly targeted attack on cryptocurrency exchange Coinbase by its chief information officer Philip Martin offers a glimpse into how good these attacks can be.
We’ll start with the punchline Coinbase successfully resisted the attack, something we could already have guessed when the company tweeted the news in June that it had come under attack.
That snippet also mentioned that the attack deployed two Firefox zero-days, something that immediately grabbed the interest of news reporters as well as Firefox, which issued patches for CVE-2019-11707 and CVE-2019-11708 after Coinbase reported their use by cybercriminals.
Fending off an attack using a combination of two zero-days is already unusually challenging but, according to Martin, the sophistication of the attack didn’t stop there.
It seems the campaign began on 30 May when around a dozen Coinbase employees received an email from someone claiming to be Gregory Harris, a Research Grants Administrator at the University of Cambridge.
This email came from the legitimate Cambridge domain, contained no malicious elements, passed spam detection, and referenced the backgrounds of the recipients.
The approach was so convincing that even as more emails were received over a two-week period, “nothing seemed amiss.”
Until 17 June at 6:31am (PT), that is, when a new email tuned up that contained a boobytrapped link designed to launch the zero days in Firefox.
One of the small number of individuals who received this became suspicious, which led to a scan of that computer that turned up signs of malevolent activity.