Coinbase is known to keep its good work low-key while others run marketing tactics. Right from being a partner of Facebook’s Libra coin consortium to coming out clean to state the vulnerabilities they faced recently, it seems like Coinbase is acing the race.
On 19th June, Philip Martin, the Chief Information Security Officer at Coinbase tweeted a thread about the recent Zero-day attack their system faced.
According to the definition provided by Norton, a zero-day vulnerability is a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw. The vulnerability has the potential to be exploited by cybercriminals.
Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.
In this kind of vulnerability, hackers usually write codes to target a specific security weakness. Which they then package it into malware called a “Zero-day Exploit”. The malicious software takes advantage of a vulnerability to compromise a computer system or cause unintended behavior.Source: Norton | Zero-day vulnerability: What it is, and how it works
Philip in his tweet elaborated on the attack by saying, “On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day firefox sandbox escape, to target Coinbase employees.”
He further stated that the team traced back the entire attack, recovered and reported the 0-day to firefox. They even pulled apart the “malware and infra used in the attack”. Currently the team at Coinbase is working with various organizations to continue burning down attacker’s infrastructure. Additionally they are even researching to find out the attacker’s identity.
In addition to this, Philip has confirmed that they have not witnessed or found any kind of evidence of exploitation that targets Coinbase customers as of now.
The team also believes that Coinbase was not the only crypto exchange that was targeted, they feel other organizations sooner or later might also be attacked under this vulnerability.
Coinbase will soon release a set of IOCs [Indicator of Compromise] which means they will report the virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers. That will identify via a process of incident responses and computer forensics that will help to detect future attack attempts on the network.
Philip has also tweeted out the hash and C2 IPs acquired from the attack:-
“Hashes (sha1): b639bca429778d24bda4f4a40c1bbc64de46fa79 23017a55b3d25a2597b7148214fd8fb2372591a5
Fortunately, the attack did not cause any harm to the funds of users. Coinbase came out clean and reported the vulnerability while simultaneously supporting any other company that goes through the same attack.