Coinbase Breach Incident Score: Analysis & Impact (METIMTCOITOK1772124856)

In this Rankiteo incident briefing, we review the Coinbase breach identified under incident ID METIMTCOITOK1772124856.

The analysis begins with a detailed overview of Coinbase's information like the linkedin page: https://www.linkedin.com/company/coinbase, the number of followers: 1329070, the industry type: Financial Services and the number of employees: 7242 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 191 and after the incident was 177 with a difference of -14 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Coinbase and their customers.

Coinbase Wallet recently reported "SeaFlower: A Highly Sophisticated Web3 Wallet Hack Targeting Cryptocurrency Users", a noteworthy cybersecurity incident.

A newly uncovered cyber threat campaign, SeaFlower (藏海花), has been targeting users of popular Web3 cryptocurrency wallets with advanced backdoor attacks designed to steal seed phrases and drain funds.

The disruption is felt across the environment, affecting iOS and Android devices running trojanized Web3 wallets, and exposing Seed phrases, wallet addresses, balances, personally identifiable information (PII), plus an estimated financial loss of Funds drained from cryptocurrency wallets.

Formal response steps have not been shared publicly yet.

The case underscores how Ongoing (discovered by Confiant analysts), teams are taking away lessons such as The campaign highlights the growing sophistication of Web3-targeted threats, the risks of third-party download sources, and the need for enhanced security measures in cryptocurrency wallets, and recommending next steps like Avoid downloading wallet apps from unofficial sources, Verify app authenticity through official websites or app stores and Use hardware wallets for added security, with advisories going out to stakeholders covering Users should immediately uninstall any suspicious wallet apps and transfer funds to a secure wallet.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with high confidence (90%), supported by evidence indicating victims are lured through cloned download sites promoted via Chinese search engines and Drive-by Compromise (T1189) with moderate to high confidence (80%), supported by evidence indicating fake sites mimic official wallet pages, complete with fabricated ratings. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating trojanized apps...tricking users into installing and Reflective Code Loading (T1620) with moderate to high confidence (80%), supported by evidence indicating injected .dylib file hooks into the app’s runtime using Cydia Substrate. Under the Persistence tactic, the analysis identified Boot or Logon Autostart Execution: XDG Autostart Entries (T1547.013) with moderate to high confidence (70%), supported by evidence indicating provisioning profile download, allowing the app to bypass Apple’s App Store security. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003) with moderate confidence (60%), supported by evidence indicating bypassing App Store security (iOS). Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (95%), supported by evidence indicating pixel-perfect replicas of legitimate versions, making detection nearly impossible, Obfuscated Files or Information (T1027) with high confidence (90%), supported by evidence indicating obfuscated class (FKKKSDFDFFADS) decrypts an RSA-encrypted payload, and Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006) with moderate to high confidence (80%), supported by evidence indicating injected .dylib file hooks into the app’s runtime. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Private Keys (T1552.004) with high confidence (95%), supported by evidence indicating intercepting the dataWithContentsOfFile such as options such as error function when MetaMask loads its JavaScript bundle and Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate to high confidence (80%), supported by evidence indicating steal seed phrases, wallet addresses, and balances. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating exfiltrating seed phrases, wallet addresses, and balances. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating sending data to attacker-controlled domains (e.g., trx.lnfura.org) and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate to high confidence (70%), supported by evidence indicating alibaba CDN abuse. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating hTTP POST request when a seed phrase is saved, sending data to colnbase.homes and Web Service: Bidirectional Communication (T1102.002) with moderate to high confidence (80%), supported by evidence indicating mimicking Infura (trx.lnfura.org). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.