Coinbase Contains Incident Rooted from Social Engineering Campaign
Category: Data Breach | Industry: Financial Services | Level: Tactical | Source: Coinbase
Coinbase, a cryptocurrency exchange platform, has reported a security incident resulting from a successful phishing attack against one of its employees. Coinbase attributes the attack to threat actors responsible for the ‘0ktapus‘ phishing campaign which, has run since March 2022, targeting users and organizations using Okta’s Identity and Access Management service. Group-IB identified the campaign compromised at least 9,931 accounts from over 130 organizations. Although the attacker was able to access some contact information for multiple Coinbase employees, no customer funds or data were affected by the intrusion. The campaign was traced to have begun on Sunday, February 5th, 2023. The attacker sent SMS alerts to several Coinbase engineers, urging them to log in to their accounts to read an important message. While most employees ignored the messages, one fell for the attack and was directed to a phishing page where they forfeited their credentials. The attacker leveraged the victim’s credentials and attempted to log in, however wasn’t able to get past Multi-Factor Authentication (MFA), prompting the attacker to contact the compromised employee through their mobile phone roughly 20 minutes later. The attacker masqueraded as part of the company’s corporate Information Technology (IT) division.
“Believing that they were speaking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. That began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious. Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers,“ as shared by Coinbase. From there, Coinbase’s Computer Security Incident Response Team (CSIRT) stepped in to contain the incident, the employee ceased communication with the attacker, and CSIRT temporarily suspended “all access for the victimized employee and launched a full investigation.” Coinbase credited their “ layered control environment” to prevent compromises to customer funds and information. Based on defensive recommendations shared by Coinbase for the intrusion the attacker attempted to install cookie manager, EditThisCookie and remote access software such as ANyDesk and ISL Online.
- Okta Suspicious Login then Account Manipulation
- Suspicious Okta Evt (Reported or MFA Misuse) & Acct Modification
- Okta MFA Abuse & MFA Tampering or Suspicious Event Reported
Anvilogic Use Cases:
- Okta User Rejected MFA Push Request
- Okta Impossible Travel Sign-In
- Okta User Reported Suspicious Activity