Coinbase cryptocurrency exchange platform has disclosed that an unknown threat actor stole the login credentials of one of its employees in an attempt to gain remote access to the company’s systems. As a result of the intrusion the attacker obtained some contact information belonging to multiple Coinbase employees, the company said, adding that customer funds and data remained unaffected. The attacker targeted several Coinbase engineers on Sunday, February 5 with SMS alerts urging them to log into their company accounts to read an important message. While most employees ignored the messages, one of them fell for the trick and followed the link to a phishing page. After entering their credentials, they were thanked and prompted to disregard the message. In the next phase, the attacker tried to log into Coinbase’s internal systems using the stolen credential but failed because access was protected with multi-factor authentication (MFA). Roughly 20 minutes later, the attacker moved to another strategy. They called the employee claiming to be from the Coinbase IT team and directed the victim to log into their workstation and follow some instructions. Coinbase’s CSIRT detected the unusual activity within 10 minutes since the start of the attack and contacted the victim to inquire about unusual recent activities from their account. The employee then realized something was wrong and terminated communications with the attacker.
To protect best against a campaign such as this, it is recommended to provide user education into common phishing tactics as well as overall emerging cybersecurity risks and vulnerabilities. It is important to employ a defense-in-depth strategy to detect this activity at a different portion of the attack chain, such as detecting lateral movement or reconnaissance activity. Binary Defense’s MDR and Threat Hunting services are an excellent solution to assist with such a program.