[CB19] Coinbase and the Firefox 0-day by Philip Martin

•

0 likes•126 views

On June 17th, 2019, Coinbase detected and blocked an attempt by an attacker to leverage two Firefox 0-days to target Coinbase employees. The cryptocurrency industry has to expect attacks of this sophistication to continue, and by building infrastructure with excellent defensive posture and working with each other to share information about the attacks we’re seeing, we’ll be able to defend ourselves and support the crypto economy. Coinbase CISO Philip Martin will give a deep dive into the 0-day attack, how Coinbase detected and responded, and how the industry can better prepare for future attacks of this kind.

Presentations & Public Speaking

About Me
I’m Philip Martin, the CISO at Coinbase
Ex-Palantir, Amazon, Sun and US Army

00 – Intro
01 – Attack Timeline and Overview
02 – Phase Deep Dives
Agenda
03 –Response and Lessons Learned
04 – Wrap Up & Questions

Phase 1
Recon
Attackers develop
~200 potential targets
they think are related
to cryptocurrency in
some way.
Phase 2
Weaponization
Attackers develop/acquire firefox
0-days, access to Cambridge
University accounts and build
implants
Phase 3
Delivery
Attackers conduct their phishing
campaign and target vetting,
eventually delivering exploit code
to ~5 individuals
Phase 4/5/6
Exploitation, Installation & C2
Attackers cause victims to visit a web page hosted
on the Cambridge domain which delivers the Firefox
0-days and triggers built-in shellcode to download a
phase 1 implant, which then conducts on-system
recon and downloads a phase 2 implant if directed
Phase 7
Actions on Target
Attackers attempt to target obvious credential
stores, & documents. (we know less about
attacker intentions here as we stopped the
intrusion within minutes of it landing on a
corporate system
12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

Attacker Info
Active since 2016 & not covered
by any TI firm we know
● The first indication of
activity we can find for this
group is around 2016.
● There is essentially no
english-language coverage
of this group
Likely the same actor that
breached CoinCheck
● Based on a report from
Japan’s Cyber Emergency
Center, there is significant
TTP overlap between our
attacker and the one they
describe.
Has dropped at least half a
dozen 0-day
● Reading the reporting, this
attacker has dropped
somewhere around 6 0-
days over the last 3 years.
● IMO one of the more
dangerous actors in crypto

Our Response / Lessons Learned
Visibility is king
● Our time to detect was fast
because we’re fanatical
about visibility and
coverage.
● We’re also fanatical about
alert quality. If the team
gets a page, they have to
know it’s legit.
Rapid response playbooks,
tabletops, practice, practice,
practice
● We had a 20 minute time to
containment because we
practice on a regular basis.
● If you can’t do it drunk at
3AM christmas morning,
you can’t do it
0-day is in your threat model (if
you’re in cryptocurrency)
● I hope this is not a surprise
to anyone here, but if you’re
defending a cryptocurrency
company this should drive
home to you that 0-day is
legitimately in your threat
model.

Any Questions?
(BTW, if this sounds like a fun set of challenges then I’ve probably got
an open role that you’d love… https://coinbase.com/careers)

Similar to [CB19] Coinbase and the Firefox 0-day by Philip Martin

Ransomware and email security ver - 1.3

Denise Bailey

Phishing: Analysis and Countermeasures

IRJET Journal

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...

MitchellClarke14

Everything You Need to Know About BlueKeep

Ivanti

DEVSECOPS_the_beginning.ppt

schwarz10

Security Solution - IBM Business Connect Qatar Defend your company against cy...

Dalia Reda

Presentation defend your company against cyber threats with security solutions

xKinAnx

Cyber crime and cyber security

Keshab Nath

CS 1.ppt

JAYANTHKUMARTM

CS155 Computer Security at Stanford University

Rick Patterson

Issa jason dablow

ISSA LA

Famous script kiddie groups The evolution of script kiddies Conclusion FAQs 1. Introduction As technology continues to advance, so do the threats that accompany it. Hackers, who once were a rare breed of computer experts, have become more and more common. Among these hackers, there is a category known as script kiddies. While they lack the skills of more experienced hackers, they can still cause significant damage to businesses and individuals. 2. What are script kiddies? Script kiddies are individuals who use existing tools and techniques to launch attacks against computer systems and networks without fully understanding how they work. They are often young, inexperienced, and lack the technical knowledge required to create their own tools and exploits. Instead, they rely on pre-packaged tools and scripts to carry out attacks. 3. How do script kiddies operate? Script kiddies typically use automated tools to scan for vulnerable systems and networks. Once they identify a potential target, they use pre-written scripts and tools to exploit any vulnerabilities they find. These attacks can take many forms,Famous script kiddie groups The evolution of script kiddies Conclusion FAQs 1. Introduction As technology continues to advance, so do the threats that accompany it. Hackers, who once were a rare breed of computer experts, have become more and more common. Among these hackers, there is a category known as script kiddies. While they lack the skills of more experienced hackers, they can still cause significant damage to businesses and individuals. 2. What are script kiddies? Script kiddies are individuals who use existing tools and techniques to launch attacks against computer systems and networks without fully understanding how they work. They are often young, inexperienced, and lack the technical knowledge required to create their own tools and exploits. Instead, they rely on pre-packaged tools and scripts to carry out attacks. 3. How do script kiddies operate? Script kiddies typically use automated tools to scan for vulnerable systems and networks. Once they identify a potential target, they use pre-written scripts and tools to exploit any vulnerabilities they find. These attacks can take many forms,Famous script kiddie groups The evolution of script kiddies Conclusion FAQs 1. Introduction As technology continues to advance, so do the threats that accompany it. Hackers, who once were a rare breed of computer experts, have become more and more common. Among these hackers, there is a category known as script kiddies. While they lack the skills of more experienced hackers, they can still cause significant damage to businesses and individuals. 2. What are script kiddies? Script kiddies are individuals who use existing tools and techniques to launch attacks against computer systems and networks without fully understanding how they work. They are often young, inexperienced, and lack the technical knowledge required to create their own tools and exploit

What Are Script Kiddies.pdf

uzair

Internship brochure

FixNix Inc.,

IRJET- A Survey on Android Ransomware and its Detection Methods

IRJET Journal

Lessonplan-1.docx

ALVAREZAPRILROSE

IRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies

IRJET Journal

Lessonplan-1 (1).docx

ALVAREZAPRILROSE

The primary objective for analysis of web application penetration test is to identify exploitable vulnerabilities in applications before hackers are able to discover and exploit them. Web application penetration testing will reveal real-world opportunities for hackers to be able to compromise applications in such a way that allows for unauthorized access to sensitive data or even take-over systems for malicious/non-business purposes.

Analysis of web application penetration testing

Engr Md Yusuf Miah

CYBERSECURITY TRACK.pptx

levimax2

Cisco cybersecurity essentials chapter 3

Mukesh Chinta

Similar to [CB19] Coinbase and the Firefox 0-day by Philip Martin (20)

Ransomware and email security ver - 1.3

Phishing: Analysis and Countermeasures

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...

Everything You Need to Know About BlueKeep

DEVSECOPS_the_beginning.ppt

Security Solution - IBM Business Connect Qatar Defend your company against cy...

Presentation defend your company against cyber threats with security solutions

Cyber crime and cyber security

CS 1.ppt

CS155 Computer Security at Stanford University

Issa jason dablow

What Are Script Kiddies.pdf

Internship brochure

IRJET- A Survey on Android Ransomware and its Detection Methods

Lessonplan-1.docx

IRJET- Ethical Hacking Techniques and its Preventive Measures for Newbies

Lessonplan-1 (1).docx

Analysis of web application penetration testing

CYBERSECURITY TRACK.pptx

Cisco cybersecurity essentials chapter 3

More from CODE BLUE

It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...

CODE BLUE

Most 5G networks are built in fundamentally new ways, opening new hacking avenues. Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks. The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.

[cb22] Tales of 5G hacking by Karsten Nohl

CODE BLUE

Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe. Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker? In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...

CODE BLUE

While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

ハッカーたちの間では、セキュリティ向上のために研究を共有することの重要性が何年も前から知られていた。一方、協調して脆弱性を開示することの重要性も、世界中の政府によってますます認識されるようになってきた。情報開示とセキュリティ研究者の保護という原則は国境を越えて共通であるものの、国によって重要な違いがある。本パネルでは、重要な公共政策や企業の行動に影響を与える可能性のあるグローバルな視点を提示する。 ENISAは、2022年4月に「EUにおける脆弱性開示政策の調整」を発表した。本報告書では、EU加盟国における脆弱性開示の協調政策の現状を客観的に紹介するだけでなく、中国、日本、米国における脆弱性開示の運用を紹介している。それらを踏まえて、協調的な脆弱性開示プロセスに望ましい要素やベストプラクティスの要素を検討し、その後、課題や問題点について議論する予定。本報告書の内容を共有し、日本における運用の課題と今後の方向性、米国における国家安全保障と脆弱性対応の課題を、各法域の代表者とのパネルディスカッションで明らかにすることを目的としています。パネリストは、日本では早期警戒パートナーシップ通知機関の実務に携わる方々、欧州では上記報告書の執筆者、米国では上記報告書の寄稿者日本では、脆弱性対応における体制意識、インセンティブ、未処理案件の増加、いわゆるトリアージなどの課題が紹介される予定米国からは、国家安全保障のための脆弱性情報の開示方針（Vulnerabilities Equities Process）、脆弱性研究の不起訴方針の公表などを紹介するとともに、この問題の歴史的背景を紹介する。パネルディスカッションを通じて、脆弱性開示政策を取り巻く国際情勢や今後の動向、特にサイバーセキュリティにおける脆弱性の重要な役割とそれを取り巻く社会が抱える課題について参加者に理解していただくことを目的とする。

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（4） by 板橋博之

CODE BLUE

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

CODE BLUE

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

CODE BLUE

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

CODE BLUE

Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year). At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365. Currently, he is learning about ROP derivative technology and embedded equipment security.

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

CODE BLUE

2021年10月、Lazarusグループに関連する可能性が高いユニークなローダーであるWSLinkの最初の分析を公開。ほとんどのサンプルは難読化され、高度な仮想マシン（VM）難読化機能で保護されている。サンプルには明確なアーティファクトが含まれておらず、当初は難読化を公的に知られているVMと関連付けなかったが、後にそれをCodevirtualizerに接続することに成功。このVMは、ジャンクコードの挿入、仮想オペランドの暗号化、仮想オペコードの重複、難読化手法仮想命令のマージ、ネストされたVMなど、いくつかの追加の難読化技術を導入する。本発表では、VMの内部を分析し、合理的な時間で難読化技術を「見抜く」ための半自動化されたアプローチについて説明する。また、難読化されたバイトコードと難読化されていないバイトコードを比較し、本手法の有効性を紹介する。われわれの手法は、仮想オペコードのセマンティクスを抽出する既知の難読化解除手法に基づいており、単純化規則によるシンボリック実行を使用。さらに、バイトコードチャンクとVMの内部構成を記号ではなく、具体的な値として扱い、既知の難読化手法で追加の難読化技術を自動的に処理できるようにする。

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

CODE BLUE

In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM. Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

CODE BLUE

Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials. The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals. CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle. In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust. In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection. In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

CODE BLUE

Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists. China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace. In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace. We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

CODE BLUE

Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration. In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

CODE BLUE

Goで書かれたマルウェアは年々増加している。Goはクロスプラットフォームの性質を持っており、複数のプラットフォームを標的にしたい攻撃者にとって好都合な言語である。その一方で、ライブラリが静的にリンクされていることからユーザ関数とライブラリの区別が難しく、アナリストにとって解析が困難である。そうした状況で、Goマルウェアの分類や探索の需要が高まっている。本講演ではgimpfuzzyという新たな提案手法を用いてGoマルウェアに対し類似性の計算や分類が可能であることを検証する。われわれは既存手法であるgimphashにFuzzy Hashingを組み込んだ「gimpfuzzy」を新たに実装した。講演では提案手法を利用した分類の判別率を検証し、分類された結果の中からいくつかの事例を取り上げその妥当性について確認する。また、Goマルウェアの分類における課題についても検討を行う予定である。

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

CODE BLUE

Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg. For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad. Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations. After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

CODE BLUE

We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware. To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed. * Malware C2 Monitoring * Malware Hunting using Cloud * YARA CI/CD system * Malware Analysis System on Cloud * Memory Forensic on Cloud Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

CODE BLUE

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...

[cb22] Tales of 5G hacking by Karsten Nohl

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（4） by 板橋博之

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

Recently uploaded

• For a full set of 390+ questions. Go to https://skillcertpro.com/product/aws-data-engineer-associate-dea-c01-exam-questions/ • SkillCertPro offers detailed explanations to each question which helps to understand the concepts better. • It is recommended to score above 85% in SkillCertPro exams before attempting a real exam. • SkillCertPro updates exam questions every 2 weeks. • You will get life time access and life time free updates • SkillCertPro assures 100% pass guarantee in first attempt.

AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf

SkillCertProExams

ICT role in 21st century education and it's challenges.pdf

Islamia university of Rahim Yar khan campus

I had the honour of presenting my reflections on the autobiography of Professor Isaac Folorunso Adewole, titled "Uncommon Grace." As someone deeply invested in documentation and history, I found Professor Adewole's decision to narrate his journey from humble beginnings to occupying one of the highest offices in the land both inspiring and invaluable. In this eloquently written memoir, Professor Adewole provides a comprehensive account of his life, from his ancestral roots to his time as Minister of Health in Nigeria. The unique aspect of this autobiography is that he portrayed himself authentically without taking the help of third-party narratives, which is often seen in accounts of high-ranking officials. His upbringing was greatly influenced by his father's commitment to education. He became a prominent figure in advocating for the rights of the underprivileged through trade unionism. His story is one of unwavering determination, resilience, and faith. His experiences, including both successes and struggles, provide priceless lessons on leadership, perseverance, and the alignment of personal values with public service. While reading "Uncommon Grace," I was struck by the deep leadership lessons that are embedded within its chapters. Professor Adewole stresses the importance of inclusivity, servant leadership, and planning, which are all highly relevant in today's complex world. His commitment to accountability, as well as his primary responsibility as a researcher, serves as a guiding light for aspiring leaders across various disciplines. During his tenure as the Vice Chancellor of the University of Ibadan, he led with visionary leadership and transformative impact. His accomplishments have been meticulously documented in the book, which can serve as a blueprint for rejuvenating institutions and promoting academic excellence. In the latter part of his autobiography, Professor Adewole shares his experiences as a Minister, detailing the challenges he faced while serving the public with integrity and courage. His reflections on the complexities of public service, coupled with his commitment to the well-being of the nation, offer practical insights for policymakers and citizens alike. I have carefully read "Uncommon Grace" and it is more than just a memoir. It is a timeless book that is hard to put down once you start reading. While intellectuals may continue to debate whether uncommon grace was made possible by uncommon preparation or the other way around, I applaud Professor Adewole for sharing his ideas, knowledge, and experience with the public. I highly recommend this book to everyone.

Uncommon Grace The Autobiography of Isaac Folorunso

Kayode Fayemi

Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...

Hasting Chen

Dreaming Marissa Sánchez Music Video Treatment

nswingard

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service

Delhi Call girls

My Presentation "In Your Hands" by Halle Bailey

hlharris

The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf

Senaatti-kiinteistöt

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services

Pooja Nehwal

Introduction to Prompt Engineering (Focusing on ChatGPT)

Chameera Dedduwage

Report Writing Webinar Training

KylaCullinane

Thirunelveli call girls Tamil escorts 7877702510

Vipesco

lONG QUESTION ANSWER PAKISTAN STUDIES10.

lodhisaajjda

Causes of poverty in France presentation.pptx

CamilleBoulbin1

Dreaming Music Video Treatment _ Project & Portfolio III

NhPhngng3

Presentation on Engagement in Book Clubs

samaasim06

SaaStr Workshop Wednesday w/ Lucas Price, Yardstick

saastr

Yesterday in Lagos, I had the honour of delivering a lecture titled “If this Giant Must Walk; Manifesto for a New Nigeria“ at the Inaugural Memorial Lecture of Prince Emeka Obasi, founder and publisher of Business Hallmark and the inspirational figure behind the Public Policy Research and Analysis Centre - promoters of the revered Zik Leadership and Governance Awards. My lecture focused on the challenges of nation-building in Nigeria and how we can approach them in a way that promotes progress and unity. I discussed the many sources of concern about our country’s future prospects, including violent conflicts, revisionist contestations of the Amalgamation Act of 1914, discontent with the Nigerian economy, and dysfunctions in the federal system. Central to my lecture was the call to address these challenges by crafting a new manifesto for Nigeria. This manifesto, I proposed, should champion integrity, compassion, character, competence, and commitment to national unity and progress within a framework of democratic governance and cultural diversity. I firmly believe that by doing so, we can guide Nigeria to stride forward with pride and purpose. I want to thank the Board and Management of the Public Policy Forum for their kind invitation to speak at this important event and for their commitment to promoting public policy research and analysis in Nigeria. My gratitude also to the late Prince Emeka Obasi, a true inspiration and a builder of bridges across divides, for his contributions to the country. My thoughts are with his family and loved ones.

If this Giant Must Walk: A Manifesto for a New Nigeria

Kayode Fayemi

ANCHORING SCRIPT FOR A CULTURAL EVENT.docx

NikitaBankoti2

I had the honour of delivering the Keynote Address at the 34th Annual Conference of the Nigerian Political Science Association (NPSA) in Lokoja. The conference theme, "Governance and Nation-Building in Nigeria: Some Reflections on Options for Policy," is relevant and timely. The challenges of nation-building are manifesting worldwide, including our continent and country. Violent conflicts and subterranean discord and discontent are prevalent, and the revival of irredentist ethno-regional and religious identities further complicates the situation. I believe that the conference was a great opportunity to discuss these challenges and reflect on practical policy options. I salute the President of the NPSA, Professor Hassan Saliu, for his leadership and the Executive Committee's effort to mobilize the membership despite a paucity of resources and the prevailing tough economic times. I am optimistic that the NPSA will continue to thrive, and I urge all of us to work towards the continued stability and unity of our country.

Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...

Kayode Fayemi

Recently uploaded (20)

AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf

ICT role in 21st century education and it's challenges.pdf

Uncommon Grace The Autobiography of Isaac Folorunso

Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...

Dreaming Marissa Sánchez Music Video Treatment

BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service

My Presentation "In Your Hands" by Halle Bailey

The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services

Introduction to Prompt Engineering (Focusing on ChatGPT)

Report Writing Webinar Training

Thirunelveli call girls Tamil escorts 7877702510

lONG QUESTION ANSWER PAKISTAN STUDIES10.

Causes of poverty in France presentation.pptx

Dreaming Music Video Treatment _ Project & Portfolio III

Presentation on Engagement in Book Clubs

SaaStr Workshop Wednesday w/ Lucas Price, Yardstick

If this Giant Must Walk: A Manifesto for a New Nigeria

ANCHORING SCRIPT FOR A CULTURAL EVENT.docx

Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...

[CB19] Coinbase and the Firefox 0-day by Philip Martin

1. Coinbase and the Firefox 0-day

2. About Me I’m Philip Martin, the CISO at Coinbase Ex-Palantir, Amazon, Sun and US Army

3. 00 – Intro 01 – Attack Timeline and Overview 02 – Phase Deep Dives Agenda 03 –Response and Lessons Learned 04 – Wrap Up & Questions

4. Phase 1 Recon Attackers develop ~200 potential targets they think are related to cryptocurrency in some way. Phase 2 Weaponization Attackers develop/acquire firefox 0-days, access to Cambridge University accounts and build implants Phase 3 Delivery Attackers conduct their phishing campaign and target vetting, eventually delivering exploit code to ~5 individuals Phase 4/5/6 Exploitation, Installation & C2 Attackers cause victims to visit a web page hosted on the Cambridge domain which delivers the Firefox 0-days and triggers built-in shellcode to download a phase 1 implant, which then conducts on-system recon and downloads a phase 2 implant if directed Phase 7 Actions on Target Attackers attempt to target obvious credential stores, & documents. (we know less about attacker intentions here as we stopped the intrusion within minutes of it landing on a corporate system 12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

5. Phase 1 Recon Attackers develop ~200 potential targets they think are related to cryptocurrency in some way. Phase 2 Weaponization Attackers develop/acquire firefox 0-days, access to Cambridge University accounts and build implants Phase 3 Delivery Attackers conduct their phishing campaign and target vetting, eventually delivering exploit code to ~5 individuals Phase 4/5/6 Exploitation, Installation & C2 Attackers cause victims to visit a web page hosted on the Cambridge domain which delivers the Firefox 0-days and triggers built-in shellcode to download a phase 1 implant, which then conducts on-system recon and downloads a phase 2 implant if directed Phase 7 Actions on Target Attackers attempt to target obvious credential stores, & documents. (we know less about attacker intentions here as we stopped the intrusion within minutes of it landing on a corporate system 12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

6. Phase 1 Recon Attackers develop ~200 potential targets they think are related to cryptocurrency in some way. Phase 2 Weaponization Attackers develop/acquire firefox 0-days, access to Cambridge University accounts and build implants Phase 3 Delivery Attackers conduct their phishing campaign and target vetting, eventually delivering exploit code to ~5 individuals Phase 4/5/6 Exploitation, Installation & C2 Attackers cause victims to visit a web page hosted on the Cambridge domain which delivers the Firefox 0-days and triggers built-in shellcode to download a phase 1 implant, which then conducts on-system recon and downloads a phase 2 implant if directed Phase 7 Actions on Target Attackers attempt to target obvious credential stores, & documents. (we know less about attacker intentions here as we stopped the intrusion within minutes of it landing on a corporate system 12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

7. Phase 1 Recon Attackers develop ~200 potential targets they think are related to cryptocurrency in some way. Phase 2 Weaponization Attackers develop/acquire firefox 0-days, access to Cambridge University accounts and build implants Phase 3 Delivery Attackers conduct their phishing campaign and target vetting, eventually delivering exploit code to ~5 individuals Phase 4/5/6 Exploitation, Installation & C2 Attackers cause victims to visit a web page hosted on the Cambridge domain which delivers the Firefox 0-days and triggers built-in shellcode to download a phase 1 implant, which then conducts on-system recon and downloads a phase 2 implant if directed Phase 7 Actions on Target Attackers attempt to target obvious credential stores, & documents. (we know less about attacker intentions here as we stopped the intrusion within minutes of it landing on a corporate system 12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

8. Phase 1 Recon Attackers develop ~200 potential targets they think are related to cryptocurrency in some way. Phase 2 Weaponization Attackers develop/acquire firefox 0-days, access to Cambridge University accounts and build implants Phase 3 Delivery Attackers conduct their phishing campaign and target vetting, eventually delivering exploit code to ~5 individuals Phase 4/5/6 Exploitation, Installation & C2 Attackers cause victims to visit a web page hosted on the Cambridge domain which delivers the Firefox 0-days and triggers built-in shellcode to download a phase 1 implant, which then conducts on-system recon and downloads a phase 2 implant if directed Phase 7 Actions on Target Attackers attempt to target obvious credential stores, & documents. (we know less about attacker intentions here as we stopped the intrusion within minutes of it landing on a corporate system 12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

10.

11.

12.

13. Phase 1 Recon Attackers develop ~200 potential targets they think are related to cryptocurrency in some way. Phase 2 Weaponization Attackers develop/acquire firefox 0-days, access to Cambridge University accounts and build implants Phase 3 Delivery Attackers conduct their phishing campaign and target vetting, eventually delivering exploit code to ~5 individuals Phase 4/5/6 Exploitation, Installation & C2 Attackers cause victims to visit a web page hosted on the Cambridge domain which delivers the Firefox 0-days and triggers built-in shellcode to download a phase 1 implant, which then conducts on-system recon and downloads a phase 2 implant if directed Phase 7 Actions on Target Attackers attempt to target obvious credential stores, & documents. (we know less about attacker intentions here as we stopped the intrusion within minutes of it landing on a corporate system 12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

14.

15.

16.

17. Phase 1 Recon Attackers develop ~200 potential targets they think are related to cryptocurrency in some way. Phase 2 Weaponization Attackers develop/acquire firefox 0-days, access to Cambridge University accounts and build implants Phase 3 Delivery Attackers conduct their phishing campaign and target vetting, eventually delivering exploit code to ~5 individuals Phase 4/5/6 Exploitation, Installation & C2 Attackers cause victims to visit a web page hosted on the Cambridge domain which delivers the Firefox 0-days and triggers built-in shellcode to download a phase 1 implant, which then conducts on-system recon and downloads a phase 2 implant if directed Phase 7 Actions on Target Attackers attempt to target obvious credential stores, & documents. (we know less about attacker intentions here as we stopped the intrusion within minutes of it landing on a corporate system 12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

18. Phase 1 Recon Attackers develop ~200 potential targets they think are related to cryptocurrency in some way. Phase 2 Weaponization Attackers develop/acquire firefox 0-days, access to Cambridge University accounts and build implants Phase 3 Delivery Attackers conduct their phishing campaign and target vetting, eventually delivering exploit code to ~5 individuals Phase 4/5/6 Exploitation, Installation & C2 Attackers cause victims to visit a web page hosted on the Cambridge domain which delivers the Firefox 0-days and triggers built-in shellcode to download a phase 1 implant, which then conducts on-system recon and downloads a phase 2 implant if directed Phase 7 Actions on Target Attackers attempt to target obvious credential stores, & documents. (we know less about attacker intentions here as we stopped the intrusion within minutes of it landing on a corporate system 12 May 2019 2 June 2019 17 June 2019 17 June 2019 17 June 2019

19. Attacker Info Active since 2016 & not covered by any TI firm we know ● The first indication of activity we can find for this group is around 2016. ● There is essentially no english-language coverage of this group Likely the same actor that breached CoinCheck ● Based on a report from Japan’s Cyber Emergency Center, there is significant TTP overlap between our attacker and the one they describe. Has dropped at least half a dozen 0-day ● Reading the reporting, this attacker has dropped somewhere around 6 0- days over the last 3 years. ● IMO one of the more dangerous actors in crypto

20. Our Response / Lessons Learned Visibility is king ● Our time to detect was fast because we’re fanatical about visibility and coverage. ● We’re also fanatical about alert quality. If the team gets a page, they have to know it’s legit. Rapid response playbooks, tabletops, practice, practice, practice ● We had a 20 minute time to containment because we practice on a regular basis. ● If you can’t do it drunk at 3AM christmas morning, you can’t do it 0-day is in your threat model (if you’re in cryptocurrency) ● I hope this is not a surprise to anyone here, but if you’re defending a cryptocurrency company this should drive home to you that 0-day is legitimately in your threat model.

21. Any Questions? (BTW, if this sounds like a fun set of challenges then I’ve probably got an open role that you’d love… https://coinbase.com/careers)

Editor's Notes

Good morning Defcon, thanks for coming out! When I saw the time slot, 10 AM Friday morning, I was a little concerned you might all be sleeping (because I would be, if I wasn’t giving this talk). Really appreciate that you came out and hopefully I’ll give you a fair trade for that effort! What we are going to talk about is an attack by what I think is one of the most dangerous attacker groups in crypto today. This attack targeted cryptocurrency companies, leveraged 2 Firefox 0-days and extensive social engineering. We’re going to spend the next 50 minutes breaking down the attack, how it happened and highlighting a few of the lessons we learned along the way. I’m happy to say that we caught it early when it came out way, customer/corporate funds were never at risk, and were able to detect, respond and contain within minutes and fully remediate/recover within a day or so (although I’m not positive the engineer of ours who was exploited has opened his email again since). But I’m getting ahead of myself...
Hi folks, my name is Philip Martin. I’m the CISO at Coinbase. For those of you that don’t know of us, the way I like to describe our business is that we run the world’s largest and highest stakes Security Capture The Flag. My job is to protect our flags. But really, we’re a cryptocurrency company that stores upwards of 20 billion dollars of digital assets with users across the world and all over the spectrum of technical sophistication. My background is a mix of US Government and Private Sector experience.
Topic and Motivation We’re going to start by walking through the attack, breaking it down into phases so we can talk about each chunk individually (although in real life I doubt the attackers serialized things quite that much) Then we’ll cover how/why we detected the attack (spoiler alert: it was not magic cyber AI) and what lessons we learned from this event. Finally I’ll answer your questions. My guess is I’m going to get more questions than normal in this session, so I’m going to cut myself with about 15 minutes left and if there aren’t 15 minutes of questions, well, you can talk among yourselves for a bit before the next speaker.
Give the quick story
This is the phase we know the least about. We know the attackers put together a list of about 200 people for the initial target set We know the attackers mostly targeted personal email addresses We know they got a few of the initial targets very wrong (e.g. not involved in cryptocurrency at all), but they got the vast majority right As we’ll talk about later, they seemed more interested in IT/infra/eng/security than most, but the initial list cut a pretty broad swath and included a little bit of everything We DONT know where they did their research or what their data sources were We suspsect fairly standard OSINT practices. We DONT know how long this phase lasted or how far in advance the data was collected LEAD OUT: One final note, we don’t really know in what order this occured. We’re assuming that the attackers had the target list ready to go while waiting for a suitable 0-day to pop up, but it could have been the other way around. Assuming we’re right, the attackers next moved into weaponization of their exploit
This is a pretty rich topic area and I’ve lumped both the exploit dev and access to the Cambridge University systems (although we don’t know when the attackers got that access). As you folks already likely know, the attacker leveraged 2 chained exploits CVE-2019–11707 (JIT exploit) and CVE-2019–11708 (sandbox escape). CVE-2019–11707 was a simultaneous(ish) discovery by the attacker and by Samuel Gross of Project Zero. We were able to share the in-the-wild exploit for the bug with him and he has a nice writeup on twitter that covers the differences. Tl;dr the in-the-wild exploit looks like a variant of CVE-2019-9810 (made public in mid-April), so likely someone hunting for this bug pattern, or even specifically a variant of that specific bug. CVE-2019–11708 is more interesting to me. This was the sandbox escape that the attacker used to hop from the browser to the OS. While the underlying mechanism that is exploited has been in firefox for quite a while, the specific way these attackers chose to trigger it has only been possible since 12 May. The attackers seem to have finished getting their operational infra in place on or around the end of May (the attackers registered the domain they used to host the actual 0-day on 28 May). That means, assuming they found the bug right away, about a 2-week cycle from discovery to weaponization as part of an exploit chain. (assumptions: they had the 0-day ready before the phishing went out; they didn’t know about the underlying issue before this change was made). NEXT
In this phase, the attackers also gained access to the Cambridge University accounts they used to actually send the phishing (more on that later). Cambridge allows accounts to host content in home directories under the top level cambridge domain. The attackers used this ability to clone, modify and store legitimate Cambridge pages used in both the social engineering and exploit phases of the attack. The use of the legitimate Cambridge domain gave the attackers a huge leg up in establishing trust with their victims. Don’t know much about the Cambridge side of this equation. Real people? Fake accounts? How long did they have access? Had they leveraged this for other attacks?
This is my favorite phase. The attackers start to send their spearphishing. This is what it looked like...
There were at least 2 variants, one using the Adam Smith prize and one using the Adams Prize (next)
The attackers took at least some effort to give the right message to the right person. If you responded and said something like “I’m not an engineer”, the attackers ceased contact. If you replied with interest the attackers...
Sent you a followup like this. A few days later, the attackers would follow up with...
A message like this. Here finally we get to the actual exploitation. The entire exchange took between 10 days and 2 weeks for most people.
And now we’re in exploitation land. That last URL was a legitimate copy of a login page for Cambridge’s IdP. with two small changes.
A bit of javascript to make sure you were a target that matched their desired profile Note that they seem to want firefox on mac or any other OS. We saw no indication of other exploits being used in this campaign.
This is what you’d see if you visited the site and were not in their target profile.
And the inclusion of the actual exploit code. analyticsfit.com is an attacker controlled domain that was used to host the actual 0-day javascript.
Assuming the exploit landed, your browser would shell out to curl and pull down a stage one implant. If running over, defer to blog post The stage 1 binary was a variant of the Netwire family. While this implant is capable of acting as a fully-featured RAT, the attackers seem to use it mostly as an initial recon and credential theft payload. Delay before stage 2 downloads. The stage 2 payload is a variant of the Mokes family. The attackers seem to use this implant as a full-fledged RAT. We’ve observed activity of the stage 2 implant consistent with direct human control. Our assumption is that stage 1 only advances to stage 2 where the attackers believe they have landed on a host of value.
We stopped the attack on our employee’s system within about 20 minutes, so we don’t have a ton of really good data. We’ve had access to other systems where the attacker was present longer, but without good endpoint logs we’re basing a lot of assumptions on dead-box forensics. The attackers seem to do a fairly basic automated credential pillage in stage 1. We see evidence that, in stage 2, they also target browser credential stores and session tokens. They are interested in pivoting from the endpoint to cloud systems (email, file storage, etc). There is some Japanese-language reporting on these attackers as well that goes into some additional depth.
If you’re a cryptocurrency company, you need to take these folks seriously. They are focused on our industry, they are well funded and operationally skilled with access to 0-days on a regular basis.
RESPONSE Much of this is in the blog post, won’t repeat that. We detected the attack based on defined unusual behaviors (e.g. firefox shelling out, executions from /tmp, unknowns processes touching sensitive directories like .ssh, .aws, etc). LESSONS Visibility is king Our time to detect was fast because we’re fanatical about visibility and coverage. We’re also fanatical about alert quality. If the team gets a page, they have to know it’s legit. Rapid response playbooks, tabletops, practice, practice, practice We had a 20 minute time to containment because we practice on a regular basis. If you can’t do it drunk at 3AM christmas morning, you can’t do it 0-day is in your threat model (if you’re in cryptocurrency) I hope this is not a surprise to anyone here, but if you’re defending a cryptocurrency company this should drive home to you that 0-day is legitimately in your threat model. OTHER STUFF Use of personal email Some cases of personal device compromise
I hope this has been a useful view into this attack and threat actor. I’d be remis if I didn’t mention we’re hiring, including roles in security operations, appsec, threat intel, security engineering, privacy, GRC, etc

[CB19] Coinbase and the Firefox 0-day by Philip Martin

Recommended

Recommended

More Related Content

Similar to [CB19] Coinbase and the Firefox 0-day by Philip Martin

Similar to [CB19] Coinbase and the Firefox 0-day by Philip Martin (20)

More from CODE BLUE

More from CODE BLUE (20)

Recently uploaded

Recently uploaded (20)

[CB19] Coinbase and the Firefox 0-day by Philip Martin

Editor's Notes