A recent cyberattack on Coinbase, one of the biggest cryptocurrency exchanges globally, seems to have been carried out by the same threat group that targeted several other organizations such as Twilio and Cloudflare last year. The attack appears to have been sophisticated in nature.
On Friday, Coinbase disclosed that its staff members were subjected to an SMS phishing attack on February 5th. The phishing scheme involved sending text messages to employees, instructing them to urgently log in to their account through a provided link. Although most workers disregarded the false alert, one employee clicked on the link and entered their login credentials.
As Coinbase employs two-factor authentication (2FA) to protect their staff members’ accounts, the intruder was unable to utilize the compromised login credentials immediately. In spite of the two-factor authentication, the attacker was persistent, and 20 minutes later, they posed as a member of the company’s IT department and contacted the victim.
The victim followed the hacker’s instructions and logged in to their computer. However, the suspicious activity raised concerns for Coinbase’s security team, who informed the targeted employee before the attacker could obtain significant access.
Coinbase acknowledged that some limited contact information of its employees, such as names, email addresses, and phone numbers, was obtained by the threat actor during the recent SMS phishing attack campaign that targeted the exchange. The company assured its customers that their information remained uncompromised, and no funds were stolen.
According to Coinbase’s investigation, the attack was likely orchestrated by a sophisticated threat actor called 0ktapus, which has previously targeted Twilio, Cloudflare, and around 130 other organizations using similar SMS-based phishing messages.
0ktapus, also known as Scattered Spider, is a financially motivated group that has gained notoriety for its sophisticated attack techniques. In some instances, the group has targeted telecom and business process outsourcing (BPO) firms to gain access to mobile carrier networks and carry out SIM swapping.
Coinbase has shared its security team’s tactics, techniques, and procedures (TTPs) observations regarding this attack.
Go to Source
Author: Eduard Kovacs
