By CCN Markets: A vulnerability allowing for remote code execution (unauthorized use) in Firefox was exploited against Coinbase employees this past week. The vulnerability enabled an attacker to crash the browser and execute code, including installing a trojan horse backdoor. It’s unknown how long this bug operated in the wild, but accurate estimates would give it at least two weeks.
No Coinbase Users Victimized
Here is a scenario where the bug could have affected exchange users:
A user is compromised by a fake e-mail from Coinbase urging them to do something. They redirect to the payload, which installs a trojan horse. The Trojan allows the attacker to screen-watch with something like TeamViewer. The next time the user goes to the exchange, the attacker observes. If the user has 2FA installed, the attacker waits until they’re in the process of making a withdrawal, and changes the withdrawal address. Or, worse, the user does not have 2FA, and the attacker opens a duplicate browser in the background and processes a withdrawal for himself.
The author is not a malicious hacker, but he’s sure there are even more inventive ways than this to exploit the vulnerability.
Coinbase Chief Security Officer Philip Martin says that Coinbase was not the only crypto target. He also points out that his team did not find evidence of customers compromised — only employees.
According to other reporting, the skilled attackers apparently have deep experience in exploiting 0-day vulnerabilities. In at least one case, a user was targeted after visiting a cryptocurrency exchange. He received an e-mail which contained a link. The link attempted to install a backdoor on his Mac computer.
Coinbase reports no financial losses as a result of the attack.