
Coinbase: Responding to Firefox 0-days in the wild - startupfounder
https://blog.coinbase.com/responding-to-firefox-0-days-in-the-wild-d9c85a57f15b
======
Deimorz
This was the original article that talked about this attempt:
[https://robertheaton.com/2019/06/24/i-was-7-words-away-
from-...](https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-
spear-phished/)

HN discussion:
[https://news.ycombinator.com/item?id=20283922](https://news.ycombinator.com/item?id=20283922)

------
londons_explore
Coinbase should be hiring pentesters and giving them employee level access -
even access to commit and deploy code.

Any insider shouldn't be able to steal more than the hot wallet, and even that
should be hard.

I actually _wouldn 't_ put much effort into border security. At coinbases
level of risk, evildoers will have no qualms bribing an employee to install a
backdoor in their machine.

~~~
ryacko
The trouble is finding someone to bribe who won’t suddenly start buying new
things.

~~~
bravoetch
To follow through on that though, what makes you think that would be anything
noticeable? Suddenly a coinbase employee buys a cool car or other new toy...
So what? Nobody would think that was exceptional.

~~~
ryacko
I think this is why investigations require low levels of evidence to start,
but high levels of evidence to end.

Just because it isn’t exceptional doesn’t mean that it isn’t worth looking
into. People who are greedy are impulsive and are unlikely to hide an inflow
of cash.

~~~
ALittleLight
Theft isn't restricted to impulsive people though. It's mostly restricted to
people who think they'll get away with it. Clever and cautious people may
actually be able to.

~~~
ryacko
Uh.

Yes.

But things don’t disappear do they?

------
ChrisCinelli
> CVE-2019–11707 was simultaneously discovered by Samuel Groß of Google’s
> Project Zero and the attacker.

At least another time in the last week I read on other threads on HN or
related links that vulnerability were found almost the same time by
independent people.

Here we have a researcher from Google’s Project Zero and the attacker.

How do you explain these coincidences?

What is the chance that some prominent researchers being targeted and their
systems are actually exploited?

~~~
lvh
This is not an uncommon phenomenon and not specific to vuln research. It
happens all the time in mathematics, the sciences... [0]

Far more likely: there is a related cause that made two people think to try
the same thing at approximately the same time. Someone publishes a new JIT
type confusion bug, someone realizes "oh man it never occurred to me that X
could trigger bug type Y", they start digging, and...

[0]:
[https://en.wikipedia.org/wiki/Multiple_discovery](https://en.wikipedia.org/wiki/Multiple_discovery)

~~~
ChrisCinelli
Thanks for the comment. I think where I read of the other synchronous
discovery was hinting to what you wrote but I deliberately wanted to hear
about the probability of researchers being compromised.

Maybe this is not the case but if somebody has powerful means, knowledge on
how do successful targeted attacks, and access to the right 0 days, it would
make sense that can use their resources to find other 0 days in this way.

------
flyGuyOnTheSly
>We collected IOCs from the host in question and started hunting broadly in
our network. We did not see any of the IOCs anywhere else in our environment,
and blacklisted all the IOCs that we had at that time.

Can someone explain what they mean by IOCs?

~~~
CorralPeltzer
[https://en.wikipedia.org/wiki/Indicator_of_compromise](https://en.wikipedia.org/wiki/Indicator_of_compromise)

------
victor22
Remember, not your keys, not your bitcoin. Stay off coinbase.

~~~
notathing
> _A criminal gang operating in India kidnapped and tortured cryptocurrency
> traders in recent weeks before demanding 80 bitcoins as ransom, police say.
> Three men had been held captive for 15 days inside a high-rise building and
> were beaten or tortured... Not even their family members were aware of the
> abduction. The victims had lost all hope because they had no access to
> anyone_

[https://www.newsweek.com/cryptocurrency-traders-abducted-
tor...](https://www.newsweek.com/cryptocurrency-traders-abducted-tortured-
india-criminal-gang-arrested-bitcoin-ransom-1449274)

~~~
TooCleverByHalf
Im confused why this is a response to the parent.

~~~
Izkata
It's the same argument as this xkcd:
[https://xkcd.com/538/](https://xkcd.com/538/)

Though granted it confuses keys for passwords.

------
anhldbk
I find this info is interesting

> The attackers went through a qualification process and multiple rounds of
> emails with potential victims, making sure they were high-payoff targets
> before they directed victims to the page containing the exploit payload.

It's a well-prepared plan combining social engineering and technical exploits

------
xchaotic
This point to an actual use of the cryptocurrency - exploiting a 0 day against
someone who might have a crypto wallet means you can actually directly make
money off exploits. Prior to crypto, having a 0 day wasn't equal with ability
to make blackhat money with it...

~~~
vageli
> This point to an actual use of the cryptocurrency - exploiting a 0 day
> against someone who might have a crypto wallet means you can actually
> directly make money off exploits. Prior to crypto, having a 0 day wasn't
> equal with ability to make blackhat money with it...

Why would that be the case when it is not illegal to sell exploits?

~~~
rocqua
Selling exploits requires credibility, escrow, and deep contacts. Selling
bitcoin is a lot easier.

~~~
vageli
Ah so you mean leveraging the exploit for financial gain by using it
(ransomware) versus selling. That makes a ton of sense!

------
ianhawes
Interesting to me that the attackers were well equipped in their phish and
0days, but then opted to drop fairly detectable RATs.

~~~
staticassertion
Yeah, they could have moved processes before execing the shell. Detecting
"Firefox + Shell" is quite easy and standard, even in existing SIEMs.

Detecting "arbitrary program + shell" is at least moderately more difficult.

It's the attacker's dilemma though. They only need to trip one alarm to
trigger IR.

~~~
notathing
The biggest fail here was that 32 bit program warning, which probably alerted
the employee.

Notice that they didn't actually have an alert for Firefox+Shell, they
detected that later by inspecting the audit logs.

~~~
staticassertion
> We detected the attacker at this stage, based on a number of behaviors (e.g.
> Firefox shouldn’t spawn a shell).

They explicitly state it was one of the behaviors they detected as suspicious.

------
wyldfire
This is among the critical differences between MtGox and Coinbase.

~~~
ceejayoz
"We're not run by idiots"?

~~~
grubles
That doesn't explain listing Bitcoin Cash (Bcash) - an altcoin that shares its
mining algorithm with Bitcoin but only has a very small amount of hash rate
backing it. Any small Bitcoin miner can decide at any moment to switch to
mining Bitcoin Cash and cause block reorgs or mine blocks with no transactions
at all.

A similar event actually happened with another asset they offer - Ethereum
Classic.

[https://cointelegraph.com/news/ethereum-classic-51-attack-
th...](https://cointelegraph.com/news/ethereum-classic-51-attack-the-reality-
of-proof-of-work)

~~~
nostrademons
Much of this is because of forks - since they offered Bitcoin before the BCH
fork (and presumably ETH before the ETC fork), all of their customers who
owned one of these before the fork also own the new currency. So they have to
support custody for the currencies anyway (unless they want to deal with angry
customers saying "What happened to my BCH! Rightfully I own it"), and if they
don't support trading they'll get angry customers that say "Why can't I sell
my BCH?!?". (This is aggravated by potentially needing to send that BCH off to
another exchange, potentially not in the U.S, with worse regulatory
compliance, in order to sell.) So most of the work needed to support it has to
be done anyway to remain in legal compliance, and it's a small amount of
additional work for a large benefit to support trading.

~~~
grubles
That doesn't explain the favoritism for BCH over the multitude of other forks
(some worth $50-$100 per token) though. Why no Bitcoin Gold listing?

~~~
nostrademons
Sure enough, there are angry customers accusing Coinbase of stealing their
Bitcoin Gold:

[https://www.reddit.com/r/CoinBase/comments/7jtlgz/coinbase_s...](https://www.reddit.com/r/CoinBase/comments/7jtlgz/coinbase_stole_my_bitcoin_gold/)

IIRC BCH and ETC forked before BTG. They probably did two of them and then
asked themselves "Why are we doing this again?"

------
dmortin
Does it a help in this case if one runs the browser in a sandbox? E.g. in
docker?

They can then break out from the browser, but only get to docker with that
exploit, and it's unlikely they have a docker exploit too at hand, is it?

~~~
danieldk
_They can then break out from the browser, but only get to docker with that
exploit, and it 's unlikely they have a docker exploit too at hand, is it?_

If you are running Firefox on X11 (which most Linux users probably still do),
you do not need to escape Docker. You can make screenshot, capture keystrokes,
and send keystrokes, all through the X11 socket.

(Furthermore, you do not need a Docker exploit, a Linux kernel exploit can be
enough to break out of a container. This is one of the reasons for e.g. gVisor
to implement syscalls in userland and in a safer language.)

Using VMs as e.g. Qubes OS does is probably a bit safer than a Docker
container.

~~~
MrRadar
> If you are running Firefox on X11 (which most Linux users probably still
> do), you do not need to escape Docker. You can make screenshot, capture
> keystrokes, and send keystrokes, all through the X11 socket.

Also, this is why Wayland is much more restrictive about these types of
operations. People love to complain that "I could do _thing_ with X without
special privileges" but the world has moved on since X was designed and it
absolutely has not kept up.

~~~
Avamander
People are totally right to complain about __basic __features being left out,
not not having a standard secured low-overhead video recording and
screenshotting is simply stupid and harmful for Linux.

------
auslander
> exploit code was delivered from a separate domain, analyticsfit[.]com

They paid some registrar for the domain. Can police request payment details?
Can someone buy domain on stolen credit card?

------
vbezhenar
Those attacks would not work if they did not enable JavaScript on every
website by default.

~~~
tyscorp
Those attacks would not work if everyone stopped using computers.

~~~
OrgNet
its almost like the NSA designed all programming languages to insure that it
would be impossible to make a perfect program

~~~
NieDzejkob
I find the explanation of "to err is human" far more likely.

