True Zero-Days: Marketing Speak Verses Reality for Coinbase
Type in the words “Zero-day protection” into your favorite search engine and a who’s who of security vendors will appear in the search results along with sponsored or paid search results. Almost every security vendor claims to protect users against zero-day attacks, yet daily news about ransomware attacks, phishing e-mails, and data breaches spray the headlines of major publications. Vendors take many different approaches to zero-day protection from process monitoring, application whitelisting, heuristics based, and file scanning. As detection techniques advance, so do attacker’s tools, techniques, and procedures. Last month, two actual zero-day exploits in the Firefox browser attempted to steal credentials and information from employees of cryptocurrency exchange Coinbase, based in San Francisco, CA. The pair of exploits had the potential to cause a tremendous amount of damage, but they were fortunately detected and blocked by the Coinbase security team.
When a reporter asked bank robber Willie Sutton why he robbed banks, he accurately stated: “Because that’s where the money is!” That quote was as valid for Sutton in the 1950s as it is today for cybercriminals. The modern cyber criminal is looking to make money any way they can and cryptocurrency exchanges are highly attractive targets due to their massive amounts of cryptocurrency holdings and the limited resource by the exchanges after the theft. In general, cryptocurrencies are decentralized in nature, so there is no single authority or group of bodies that can regulate, tax, or control the payment network. For example, there is a fixed supply and will only ever be about 21 million Bitcoins in existence, unlike the US dollar, Japanese Yen, Mexican Peso, or other fiat currency used today where governments can print as much money as they wish. While this gives users an incredible amount of freedom, it also is ripe for abuse. The same protection that does not allow a buyer to cancel a payment after a product they purchased has been received can also be abused to prevent the return of stolen cryptocurrency. The US FBI’s asset recovery team boasts a 75% chance of recovering the money from a fraudulent wire transfer if affected parties notify the FBI within 48 hours. In contrast, there is almost a 0% chance of recovery the moment a fraudulent cryptocurrency transaction completes. Cryptocurrency exchanges have lost billions of dollars as a result of cyber attacks. The former popular Bitcoin exchange Mt. Gox was famously targeted with an attack that allowed attackers to withdraw the same Bitcoin multiple times and eventually caused it to become insolvent. When attackers attempt to convert their ill-gotten gains into fiat cash, sometimes they are caught sometimes they get away with it scot-free.
Understanding why cryptocurrency exchanges are such attractive targets helps explain why attackers go through so much trouble to attack them, including burning two zero days. Attackers spearphished Coinbase employees into clicking on malicious links that would take them to a malicious website hosting code that would exploit a remote code execution (RCE) bug in Firefox. Zero-day vulnerabilities in Firefox are extremely rare and the last one was reported two and a half years ago when a vulnerability was used to deanonymize TOR users. Typically, an RCE of this nature would not be considered a severe weakness because Firefox runs in a sandbox which only allows code to run within the context of the browser, protecting the underlying operating system. However, attackers paired the RCE bug with a sandbox escape zero-day to allow arbitrary code to run on the underlying operating system. Analysis of the malicious payload indicates that attackers planned to use credential stealing malware to obtain employee credentials to access backend Coinbase systems to take a significant amount of cryptocurrency. Attackers tailored payloads for both Mac OSX and Windows operating systems running the Firefox browser.
What is striking is that Mozilla (parent company which develops Firefox) knew about the RCE bug two months before the Coinbase attack through Google’s Project Zero. Mozilla has 90 days to patch the vulnerability once alerted by Google, but they did not deem the weakness significant enough to fix during the first 60 days. Once Mozilla discovered attackers combined this RCE bug with a sandbox escape vulnerability, they immediately patched both vulnerabilities. At the time of writing, it is unclear how the attackers obtained the RCE zero day. It is possible the attackers discovered it on their own, purchased it from a dark market, acquired the details from Mozilla’s bug tracking system through an employee’s compromised account, or hacked into the bug tracking portal as they did in 2015.
This bug tracking portal would be a potential gold mine for attackers being able to view active exploits before Mozilla patches them. Coinbase was able to determine how the attackers attempted to infiltrate their systems by recording network traffic and playing back the steps that occurred before the compromise. Through thorough forensic analysis, the Coinbase security team pinpointed the indicators of compromised and alerted Mozilla. Coinbase was fortunate to have this data to not only prevent the attack from succeeding but also analyzing what happened to prevent it from occurring again. Coinbase does not believe they were the only cryptocurrency exchanged targeted by the attackers and they are working with other exchanges to help prevent further attacks. At the time of writing, Coinbase’s security team, along with Mozilla and other industry groups, are working to dismantle the infrastructure used to launch this attack. With over 80% of today’s internet traffic encrypted with SSL or TLS, it is imperative that organizations inspect encrypted traffic for malicious downloads, callbacks, or data exfiltration. With the increased adoption of TLS 1.3 and perfect forward secrecy, recording encrypted traffic for later playback and analysis will become increasingly difficult.
With the increase in privacy and security available in TLS 1.3 and perfect forward secrecy, attackers are taking advantage of this, knowing that it will be difficult for organizations to scan all encrypted traffic for malware. The actual infected website URLs are not published at the time of writing, but attackers are using well-known websites such as cloud storage vendors or Microsoft Azure to host malicious content because many “good enough” security solutions trust these websites based on reputation and will not scan these destinations.
The most effective method for zero-day detection and protection is to use a cloud sandbox in conjunction with a web proxy that performs SSL inspection at scale. Sandboxes will run and detonate unknown code in a controlled virtual environment and observe its behavior to determine if it is malicious or benign. Cloud sandboxes allow users to be protected no matter where they are because it does not require users to full-tunnel VPN their traffic to a data center hosting a security stack to perform sandbox analysis. A web proxy is the ideal architecture to perform sandbox analysis since it has the capability of quarantining a file not allowing a user to download a file until the sandbox analysis is complete and the file has been awarded a benign verdict. Many sandbox solutions run in TAP mode where a copy of the data is sent for review while the user is allowed to download the file. Lastly, SSL Inspection is a must-have with today’s internet-connected workforce since over 80% of the traffic is encrypted and malicious data could quickly go undetected without inspecting all traffic.
Coinbase was fortunate enough to have security controls in place to detect and block these two zero days, but it will become increasingly difficult as the arms race between security researchers and malicious attackers continues to escalate. A cloud sandbox with SSL Inspection is a highly effective method for detecting and blocking zero-day attacks. When organizations become the target of these attacks, the average user does not stand a chance. Keeping users protected with an always-on cloud security solution will significantly mitigate the risk of becoming the next cryptocurrency theft victim.