Coinbase: Responding to Firefox 0-days in the wild

by hion 8/9/2019, 5:48:11 PM with 13 comments
  • by Deimorzon 8/9/2019, 6:10:46 PM

    This was the original article that talked about this attempt: https://robertheaton.com/2019/06/24/i-was-7-words-away-from-...

    HN discussion: https://news.ycombinator.com/item?id=20283922

  • by londons_exploreon 8/9/2019, 7:53:08 PM

    Coinbase should be hiring pentesters and giving them employee level access - even access to commit and deploy code.

    Any insider shouldn't be able to steal more than the hot wallet, and even that should be hard.

    I actually wouldn't put much effort into border security. At coinbases level of risk, evildoers will have no qualms bribing an employee to install a backdoor in their machine.

  • by ChrisCinellion 8/9/2019, 9:41:19 PM

    > CVE-2019–11707 was simultaneously discovered by Samuel Groß of Google’s Project Zero and the attacker.

    At least another time in the last week I read on other threads on HN or related links that vulnerability were found almost the same time by independent people.

    Here we have a researcher from Google’s Project Zero and the attacker.

    How do you explain these coincidences?

    What is the chance that some prominent researchers being targeted and their systems are actually exploited?

  • by flyGuyOnTheSlyon 8/9/2019, 9:23:53 PM

    >We collected IOCs from the host in question and started hunting broadly in our network. We did not see any of the IOCs anywhere else in our environment, and blacklisted all the IOCs that we had at that time.

    Can someone explain what they mean by IOCs?

  • by victor22on 8/9/2019, 10:27:24 PM

    Remember, not your keys, not your bitcoin. Stay off coinbase.

  • by anhldbkon 8/10/2019, 3:02:37 AM

    I find this info is interesting

    > The attackers went through a qualification process and multiple rounds of emails with potential victims, making sure they were high-payoff targets before they directed victims to the page containing the exploit payload.

    It's a well-prepared plan combining social engineering and technical exploits

  • by xchaoticon 8/9/2019, 9:05:30 PM

    This point to an actual use of the cryptocurrency - exploiting a 0 day against someone who might have a crypto wallet means you can actually directly make money off exploits. Prior to crypto, having a 0 day wasn't equal with ability to make blackhat money with it...

  • by ianhaweson 8/9/2019, 8:54:31 PM

    Interesting to me that the attackers were well equipped in their phish and 0days, but then opted to drop fairly detectable RATs.

  • by wyldfireon 8/9/2019, 7:28:54 PM

    This is among the critical differences between MtGox and Coinbase.

  • by dmortinon 8/9/2019, 8:01:05 PM

    Does it a help in this case if one runs the browser in a sandbox? E.g. in docker?

    They can then break out from the browser, but only get to docker with that exploit, and it's unlikely they have a docker exploit too at hand, is it?

  • by auslanderon 8/10/2019, 7:23:37 AM

    > exploit code was delivered from a separate domain, analyticsfit[.]com

    They paid some registrar for the domain. Can police request payment details? Can someone buy domain on stolen credit card?

  • by vbezhenaron 8/9/2019, 8:58:37 PM

    Those attacks would not work if they did not enable JavaScript on every website by default.