Popular
cryptocurrency
exchange
Coinbase
is
the
latest
well-known
online
brand
name
that’s
admitted
to
getting
breached.
The
company
decided
to
turn
its
breach
report
into
an
interesting
mix
of
partial
mea
culpa
and
handy
advice
for
others.
As
in
the
recent
case
of
Reddit,
the
company
couldn’t
resist
throwing
in
the
S-word
(sophisticated),
which
once
again
seems
to
follow
the
definition
offered
by
Naked
Secuity
reader
Richard
Pennington
in
a
recent
comment,
where
he
noted
that
‘Sophisticated’
usually
translates
as
‘better
than
our
defences’.
We’re
inclined
to
agree
that
in
many,
if
not
most,
breach
reports
where
threats
and
attackers
are
described
as
sophisticated
or
advanced,
those
words
are
indeed
used
relatively
(i.e.
too
good
for
us)
rather
than
absolutely
(e.g.
too
good
for
everyone).
Coinbase
confidently
stated,
in
the
executive
summary
at
the
start
of
its
article:
Fortunately,
Coinbase’s
cyber
controls
prevented
the
attacker
from
gaining
direct
system
access
and
prevented
any
loss
of
funds
or
compromise
of
customer
information.
But
that
apparent
certainty
was
undermined
by
the
admission,
in
the
very
next
sentence,
that:
Only
a
limited
amount
of
data
from
our
corporate
directory
was
exposed.
Unfortunately,
one
of
the
favourite
TTPs
(tools,
techniques
and
procedures)
used
by
cybercriminals
is
known
in
the
jargon
as
lateral
movement,
which
refers
to
the
trick
of
parlaying
information
and
access
acquired
in
one
part
of
a
breach
into
ever-wider
system
access.
In
other
words,
if
a
cybercriminal
can
abuse
computer
X
belonging
to
user
Y
to
retrieve
confidential
corporate
data
from
database
Z
(in
this
case,
fortunately,
limited
to
employee
names,
e-mail
addresses,
and
phone
numbers)…
…then
saying
that
the
attacker
didn’t
“gain
direct
system
access”
sounds
like
a
rather
academic
distinction,
even
if
the
sysadmins
amongst
us
probably
understand
those
words
to
imply
that
the
criminals
didn’t
end
up
with
a
terminal
prompt
at
which
they
could
run
any
system
command
they
wanted.
Tips
for
threat
defenders
Nevertheless,
Coinbase
did
list
some
of
the
cybercriminal
tools,
techniques
and
procedures
that
it
experienced
in
this
attack,
and
the
list
provides
some
useful
tips
for
threat
defenders
and
XDR
teams.
XDR
is
a
bit
of
a
buzzword
these
days
(it’s
short
for
extended
detection
and
response),
but
we
think
that
the
simplest
way
of
describing
it
is:
Extended
detection
and
response
means
regularly
and
actively
looking
for
hints
that
someone
is
up
to
no
good
in
your
network,
instead
of
waiting
for
traditional
cybersecurity
detections
in
your
threat
response
dashboard
to
trigger
a
response.
Obviously,
XDR
doesn’t
mean
turning
off
your
existing
cybersecurity
alerting
and
blocking
tools,
but
it
does
mean
extending
the
range
and
nature
of
your
threat
hunting,
so
that
you’re
not
only
searching
for
cybercriminals
once
you’re
fairly
certain
they’ve
already
arrived,
but
also
watching
out
for
them
while
they’re
still
getting
ready
to
attempt
an
attack.
The
Coinbase
attack,
reconstructed
from
the
company’s
somewhat
staccato
account,
seems
to
have
involved
the
following
stages:
-
TELLTALE
1:
An
SMS-based
phishing
attempt.
Staff
were
urged
via
SMS
to
login
to
read
an
important
corporate
notification.
For
convenience,
the
message
included
a
login
link,
but
that
link
went
to
a
bogus
site
that
captured
usernames
and
passwords.
Apparently,
the
attackers
didn’t
know,
or
didn’t
think,
to
get
hold
of
the
2FA
(two-factor
authentication
code)
they’d
need
to
go
along
with
the
username
and
password,
so
this
part
of
the
attack
came
to
nothing.
We
don’t
know
how
2FA
protected
the
account.
Perhaps
Coinbase
uses
hardware
tokens,
such
as
Yubikeys,
that
don’t
work
simply
by
providing
a
six-digit
code
that
you
transcribe
from
your
phone
to
your
browser
or
login
app?
Perhaps
the
crooks
failed
to
ask
for
the
code
at
all?
Perhaps
the
employee
spotted
the
phish
after
giving
away
their
password
but
before
revealing
the
final
one-time
secret
needed
to
complete
the
process?
From
the
wording
in
the
Coinbase
report,
we
suspect
that
the
crooks
either
forgot
or
couldn’t
find
a
believable
way
to
capture
the
needed
2FA
data
in
their
fake
login
screens.
Don’t
overestimate
the
strength
of
app-based
or
SMS-based
2FA.
Any
2FA
process
that
relies
merely
on
typing
a
code
displayed
on
your
phone
into
a
field
on
your
laptop
provides
very
little
protection
against
attackers
who
are
ready
and
willing
to
try
out
your
phished
credentials
immediately.
Those
SMS
or
app-generated
codes
are
typically
limited
only
by
time,
remaining
valid
for
anywhere
between
30
seconds
and
a
few
minutes,
which
generally
gives
attackers
long
enough
to
harvest
them
and
use
them
before
they
expire.
-
TELLTALE
2:
A
phone
call
from
someone
who
said
they
were
from
IT.
Remember
that
this
attack
ultimately
resulted
in
the
criminals
acquiring
a
list
of
employee
contact
details,
which
we
assume
will
end
up
sold
or
given
away
in
the
cybercrime
underground
for
other
crooks
to
abuse
in
future
attacks.
Even
if
you
have
tried
to
keep
your
work
contact
details
confidential,
they
may
already
be
out
there
and
widely-known
anyway,
thanks
to
an
earlier
breach
you
might
not
have
detected,
or
to
a
historical
attack
against
a
secondary
source,
such
as
an
outsourcing
company
to
which
you
once
entrusted
your
staff
data.
-
TELLTALE
3:
A
request
to
install
a
remote-access
program.
In
the
Coinbase
breach,
the
social
engineers
who’d
called
up
in
the
second
phase
of
the
attack
apparently
asked
the
victim
to
install
AnyDesk,
followed
by
ISL
Online.
Never
install
any
software,
let
alone
remote
access
tools
(which
allow
an
outsider
to
view
your
screen
and
to
control
your
mouse
and
keyboard
remotely
as
if
they
were
sitting
in
front
of
your
computer)
on
the
say-so
of
someone
who
just
called
you,
even
if
you
think
they
are
from
your
own
IT
department.
If
you
didn’t
call
them,
you’ll
almost
certainly
never
be
sure
who
they
are.
-
TELLTALE
4:
A
request
to
install
a
browser
plugin.
In
the
Coinbase
case,
the
tool
that
the
crooks
wanted
the
victim
to
use
was
called
EditThisCookie
(an
ultra-simple
way
of
retrieving
secrets
such
as
access
tokens
from
a
user’s
browser),
but
you
should
refuse
to
install
any
browser
plugin
on
the
say-so
of
someone
you
don’t
know
and
have
never
met.
Browser
plugins
get
almost
unfettered
access
to
everything
you
type
into
your
browser,
including
passwords,
before
they
get
encrypted,
and
to
everything
your
browser
displays,
after
it’s
been
decrypted.
Plugins
can
not
only
spy
on
your
browsing,
but
also
invisibly
modify
what
you
type
in
before
it’s
transmitted,
and
the
content
you
get
back
before
it
appears
on
the
screen.
What
to
do?
To
repeat
and
develop
the
advice
we’ve
given
so
far:
-
Never
login
by
clicking
on
links
in
messages.
You
should
know
where
to
go
yourself,
without
needing
“help”
from
a
message
that
could
have
come
from
anywhere. -
Never
take
IT
advice
from
people
who
call
you.
You
should
know
where
to
call
up
yourself,
to
reduce
the
risk
of
being
contacted
by
a
scammer
who
knows
exactly
the
right
time
to
jump
in
and
appear
to
be
“helping”
you. -
Never
install
software
on
the
say-so
of
an
IT
staffer
you
haven’t
verified.
Don’t
even
install
software
that
you
yourself
consider
safe,
because
the
caller
will
probably
direct
you
to
a
booby-trapped
download
into
which
malware
has
already
been
added. -
Never
reply
to
a
message
or
call
by
asking
if
it’s
genuine.
The
sender
or
caller
will
simply
tell
you
what
you
want
to
hear.
Report
suspicious
contacts
to
your
own
security
team
as
soon
as
you
can.
In
this
case,
Coinbase
says
its
own
security
team
was
able
to
use
XDR
techniques,
spotting
unusual
patterns
of
activity
(for
example,
attempted
logons
via
an
unexpected
VPN
service),
and
to
intervene
within
about
10
minutes.
This
meant
that
the
individual
under
attack
not
only
broke
off
all
contact
with
the
criminals
right
away,
before
too
much
harm
was
done,
but
knew
to
be
extra-careful
in
case
the
attackers
came
back
with
yet
more
ruses,
cons
and
so-called
active
adversary
trickery.
Make
sure
you’re
a
human
part
of
your
company’s
XDR
“sensor
network”,
too,
along
with
any
technological
tools
your
security
team
has
in
place.
Giving
your
active
defenders
more
to
go
on
that
just
“VPN
source
address
showed
up
in
access
logs”
means
they’ll
be
much
better
equipped
to
detect
and
respond
to
an
active
attack.
LEARN
MORE
ABOUT
ACTIVE
ADVERSARIES
In
real
life,
what
really
works
for
the
cybercrooks
when
they
initiate
an
attack?
How
do
you
find
and
treat
the
underlying
cause
of
an
attack,
instead
of
just
dealing
with
the
obvious
symptoms?
LEARN
MORE
ABOUT
XDR
AND
MDR
Short
of
time
or
expertise
to
take
care
of
cybersecurity
threat
response?
Worried
that
cybersecurity
will
end
up
distracting
you
from
all
the
other
things
you
need
to
do?
Take
a
look
at
Sophos
Managed
Detection
and
Response:
24/7
threat
hunting,
detection,
and
response ▶
LEARN
MORE
ABOUT
SOCIAL
ENGINEERING
Join
us
for
a
fascinating
interview
with
Rachel
Tobac,
DEFCON
Social
Engineering
Capture
the
Flag
champ,
about
how
to
detect
and
rebuff
scammers,
social
engineers
and
other
sleazy
cybercrimimals.
No
podcast
player
showing
below?
Listen
directly
on
Soundcloud.
About Author
