Firefox zero-day was used in attack against Coinbase employees, not its users

There were actually two zero-days -- not one -- combined into an exploit used in a spear-phishing attempt. Other cryptocurrency organizations were also targeted.

Coinbase

Logo: Coinbase // Composition: ZDNet

A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users, ZDNet has learned.

Furthermore, the attacks used not one, but two Firefox zero-days, according to Philip Martin, a member of the Coinbase security team, which reported the attacks to Mozilla.

"On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day Firefox sandbox escape, to target Coinbase employees," Martin said.

"Something is rotten in the state of Denmark"

Mozilla issued a patch following the Coinbase team's notification, a patch for which it also credited Samuel Groß, a security researcher with Google Project Zero security team.

Asked to comment on the Firefox zero-day earlier this week, Groß said he reported a bug in Firefox to Mozilla back on April 15.

Groß said the bug would have allowed a remote attacker to execute code inside a victim's browser, but that the attacker would have needed a separate sandbox escape bug to run code on the underlying OS.

It appears that two months after Groß reported this bug to Mozilla via the organization's private Bugzilla bug tracker, the bug was exploited in live attacks, along with a sandbox escape.

It is unclear how the Coinbase attackers got hold of this RCE bug's details to use it for their attacks. Several scenarios come to mind:

- the attackers discovered the same RCE bug on their own
- they obtained the info from an insider with access to Mozilla's security bugs portal
- they compromised a Mozilla employee's account and accessed the Bugzilla portal's security section
- or, they hacked the Bugzilla portal, similar to an incident from 2015

Attackers targeted Coinbase and other cryptocurrency orgs

Fortunately, the two Firefox bugs, which were chained into one single exploit and deployed against Coinbase employees, was detected by Coinbase staffers.

If successful, a hacker could have gained access to the Coinbase backend network and used this access to steal funds from the exchange -- a tactic that has been used numerous times in the past and has led to gigantic losses at many cryptocurrency exchanges before.

"We walked back the entire attack, recovered and reported the 0-day to Firefox, pulled apart the malware and [infrastructure] used in the attack, and are working with various orgs to continue burning down [the] attacker's infrastructure and digging into the attacker involved," Martin said.

"We've seen no evidence of exploitation targeting customers," Martin said, also adding that other cryptocurrency-linked organizations have also been targeted by this group.

"We are working to notify other orgs we believe were also targeted," he added.

According to indicators of compromised shared by Martin, attackers would send a spear-phishing email luring victims to a web page, where, if they used Firefox, the page would download and run an info-stealer on their systems that would collect and exfiltrate browser passwords, and other data. The attack was tailored for both Mac and Windows users, alike, with different malware for each OS.

Mozilla released on Tuesday Firefox 67.0.3 and Firefox ESR 60.7.1 to fix the reported zero-days. Earlier today, these fixes were also merged into the Tor Browser with the release of v8.5.2.

Updated on June 20, 15:00 ET: Mozilla has released a patch for the second zero-day described in this article. Users can update to Firefox 67.0.4 and Firefox ESR 60.7.2 to be protected against any attacks.

More browser coverage: