The employees of Coinbase and other cryptocurrency firms were the target of an attack utilizing a recent Firefox zero-day and malware payloads in order to gain access to victim’s computers, networks, and sensitive information.
This past week, Mozilla released an emergency Firefox update to fix a critical remote execution vulnerability that was actively used in targeted attacks in the wild. This bug was given a CVE ID of CVE-2019-11707 and was stated to have been reported by both Google Project Zero vulnerability researcher Samuel Groß and Coinbase security.
According to tweets by Groß, he had reported the vulnerability to Mozilla on April 15th and was not aware of any targeted attacks at the time.
“I don’t have any insights into the active exploitation part. I found and then reported the bug on April 15.”
Groß also stated that while the vulnerability could be exploited for remote code execution, it would need to be chained with a sandbox escape vulnerability in order to affect the host operating system.
“The bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attacker’s goals. Looking forward to more details from @mozsec and @coinbase”
Coinbase and other cryptocurrency firms targeted
More details emerged when Coinbase Chief Information Security Office Philip Martin tweeted a thread regarding how they and other cryptocurrency firms were the target of attacks utilizing this exploit.
According to Martin, Coinbase was the target of an attack that they were able to detect and walk back in order to discover and report the zero-day to Firefox.
“We walked back the entire attack, recovered and reported the 0-day to firefox, pulled apart the malware and infra used in the attack and are working with various orgs to continue burning down attacker infrastructure and digging into the attacker involved.”
Martin further stated that these attacks were targeting employees and not customers, which means the goal was most likely to gain access to corporate information, stored cryptocurrency funds, or their networks.
“We’ve seen no evidence of exploitation targeting customers. We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted. We’re also releasing a set of IOCs that orgs can use to evaluate their potential exposure”
According to Martin, the following payload hashes, with one at least being a macOS payload, and Command & Control server IP addresses were used during the attack.
5/ Hashes (sha1): b639bca429778d24bda4f4a40c1bbc64de46fa79 23017a55b3d25a2597b7148214fd8fb2372591a5 C2 IPs: 126.96.36.199:443 188.8.131.52:80
In conversations last night with security researcher Vitali Kremez, this attack was most likely initiated by a phishing email that led to sites that acted as a gateway. When a visitor accessed this site, if they were using Firefox, they would be redirected to another page that would utilize the Firefox zero-day exploits to drop malicious payloads on the computer.
From Phishing email to backdoors
In a report posted today by Mac security researcher and DigitaSecurity founder Patrick Wardle, things become clearer regarding how users were targeted by the Firefox vulnerabilities.
In his blog post, Wardle states he was emailed by someone who claimed to have been targeted by a Firefox zero-day that dropped a program on their mac and executed it. This user also claims to have recently been involved in a cryptocurrency exchange.
“Last week Wednesday I was hit with an as-yet-unknown Firefox 0day that somehow dropped a binary and executed it on my mac (10.14.5). Let me know if you would be interested in analysing the binary, might be something interesting in there wrt bypassing osx gatekeeper.”
Wardle was able to gain access to the phishing email that allegedly initiated these attacks. These emails claimed to be an “Adam Prize Organizer” named Neil Morris who was requesting assistance from the target. This email contained a now defunct url of http://people.ds.cam.ac.uk/nm603/awards/Adams_Prize.
Dear XXX, My name is Neil Morris. I'm one of the Adams Prize Organizers. Each year we update the team of independent specialists who could assess the quality of the competing projects: http://people.ds.cam.ac.uk/nm603/awards/Adams_Prize Our colleagues have recommended you as an experienced specialist in this field. We need your assistance in evaluating several projects for Adams Prize. Looking forward to receiving your reply. Best regards, Neil Morris
When a user visited this URL with Firefox, the exploit would drop a malicious payload on the computer.
The malicious application that was sent to Wardle was named Finder.app and is detected by VirusTotal as “Trojan.OSX.Netwire.10000027”. This trojan is a Remote Access Trojan, or RAT, that would allow an attacker to gain full access to the infected computer.
In addition to RAT capabilities, Netwire is designed to steal information from browsers and other applications.
IOCs connected to Windows payloads
Kremez also told BleepingComputer that the IOCs shared by Martin from this attack were found to be in a Windows malware that acts as an information stealer.
After reviewing the IOCs, Kremez found a Windows information-stealer that utilized the same Command & Control server IP address of 184.108.40.206:443 that Martin stated was used during the attack.
As shown by the image below that was shared with BleepingComputer, you can see the malware tries to steal information from browsers and mail clients.
This PE32 malware also includes an embedded “powercat” executable that will open a tunnel, and potentially a reverse shell, back to 220.127.116.11:443, which is the same IP address for a command and control server utilized in the attacks against Coinbase.
Kremez also noticed that the other C2 IP address 18.104.22.168:80 shared by Martin was also discovered by FireEye in attacks utilizing the WinRar ACE zero-day vulnerability. These attacks would download and install the Netwire RAT on an infected machine.
“Upon decoding, the commands are found to be “ok ok”, which we believe is the default C2 command. After some C2 communication, the C2 server responded with instructions to download the payload from hxxp://185.49.71[.]101/i/pwi_crs.exe, which is a Netwire RAT.”
As you can see, the actors behind these attacks appear to have a history of utilizing zero-day vulnerabilities to target victims with backdoors and information stealers. I am sure as more security researchers analyze these IOCs, more information will be released.