Coinbase Breach Incident Score: Analysis & Impact (COI4173641112625)

In this Rankiteo incident briefing, we review the Coinbase breach identified under incident ID COI4173641112625.

The analysis begins with a detailed overview of Coinbase's information like the linkedin page: https://www.linkedin.com/company/coinbase, the number of followers: 1329070, the industry type: Financial Services and the number of employees: 7242 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 571 and after the incident was 514 with a difference of -57 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Coinbase and their customers.

Coinbase recently reported "Coinbase Data Breach (December 2024)", a noteworthy cybersecurity incident.

Cryptocurrency platform Coinbase disclosed a data breach affecting 69,461 individuals, where cybercriminals bribed overseas support agents (allegedly in India) to steal customer data, including photos of passports, government IDs, names, dates of birth, partial Social Security...

The disruption is felt across the environment, and exposing Photos of passports, Government IDs and Names, with nearly 69,461 records at risk.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Termination of involved employees and Enhanced security measures, and began remediation that includes Tracing stolen funds, Flagging large withdrawals and $20M bounty for hacker information, and stakeholders are being briefed through Breach notification letters to 69,461 victims, Public disclosure via SEC filing and Media statements.

The case underscores how Ongoing (U.S. Justice Department investigation), with advisories going out to stakeholders covering Breach notifications to 69,461 affected individuals, SEC disclosure.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including bribed overseas support agents (allegedly in India) to steal customer data, and entry point such as Bribed overseas support agents (India) and Trusted Relationship (T1199) with high confidence (90%), with evidence including cybercriminals bribed overseas support agents, and insider Threat in attack_vector. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Private Keys (T1552.004) with moderate to high confidence (70%), with evidence including support agents likely had access to internal systems/credentials, and inadequate access controls/monitoring for support personnel. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including stole sensitive customer data... passport photos, government IDs, names, dates of birth, partial SSNs, bank account details, and data from Local System implied by insider access to databases and Data from Information Repositories (T1039) with high confidence (90%), with evidence including bank account details, balances, and transaction histories (structured data repositories), and account Information in data_compromised. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (80%), with evidence including data exfiltration such as Yes, and bribed support agents likely used non-C2 channels (e.g., personal email/cloud storage) and Automated Exfiltration (T1020) with moderate to high confidence (75%), with evidence including large-scale theft of 69,461 records suggests automated collection/exfiltration, and images (passport/ID photos), Textual data implies bulk data transfer. Under the Impact tactic, the analysis identified Extortion (T1659) with high confidence (100%), with evidence including $20 million extortion payment demanded post-breach, and ransom demanded such as $20,000,000 (extortion attempt), Account Access Removal (T1531) with moderate to high confidence (85%), with evidence including termination of involved employees (post-incident, but implies threat actor had account access), and social engineering attacks... impersonating Coinbase to trick victims, and Spearphishing Service: Phishing for Information (T1598.003) with high confidence (95%), with evidence including hackers impersonating Coinbase to trick victims into transferring cryptocurrency, and social engineering attacks in attack_vector. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (70%), with evidence including no explicit evidence, but insider threat likely cleared logs/artifacts post-exfiltration, and inadequate access controls/monitoring suggests lack of detection until extortion and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (65%), with evidence including enhanced security measures post-breach implies prior defenses were bypassed/impaired, and insider access could disable monitoring for their actions. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (80%), with evidence including support agents may have created persistent access via cloud accounts, and valid Accounts such as Cloud Accounts (T1078.004) suggests potential for credential abuse. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.