Hackers Exploited Two ‘Firefox Zero-Day’ In An Attempt To Attack ‘Coinbase’ Employees

ad1

The volatility of online money and cryptocurrencies has once again highlighted, as recent reports reveal that hackers exploited Firefox zero-day to target San Francisco crypto exchange company Coinbase and its employees.

A recent development on the zero-day vulnerabilities in Firefox browsers (that have previously been reported to have been exploited in the wild) exposed that there are hackers who are combining two of the said vulnerabilities to target crypto exchanges.

Philip Martin, a member of the Coinbase security team and the one who reported about the attacks, said that the hackers exploited not only one but two zero-days to carry their attacks.

“On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day Firefox sandbox escape, to target Coinbase employees,” Martin said.

Mozilla patches up zero-day with an update

Yesterday, the Mozilla team released earlier today version 67.0.3 of the Firefox browser to address the critical zero-day vulnerability. The patch is also credited to Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day — tracked as CVE-2019-11707.

Groß in an interview said that he has already reported the zero-day he discovered to Mozilla since April 2019 and highlighted that the bug would have allowed a remote attacker to execute code inside a victim’s browser, but that the attacker would have needed a separate sandbox escape bug to run code on the underlying OS.

“tl;dr an integer overflow in the code responsible for loading script tags leads to an out-of-bounds write past the end of a mmap chunk. One way to exploit this includes placing a JavaScript heap behind the buffer and subsequently overflowing into its metadata to create a fake free cell. It is then possible to place an ArrayBuffer instance inside another ArrayBuffer’s inline data. The inner ArrayBuffer can then be arbitrarily modified, yielding an arbitrary read/write primitive. From there, it is quite easy to achieve code execution,” wrote the researcher about the zero-day he discovered.

In a separate interview, the tech researcher said that “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape” to run code on an underlying operating system.”

“However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals,” he added.

And it appears that the zero-day was exploited along with the sandbox escape, two months after the researcher have reported his discovery to Mozilla. According to Catalin Cimpanu, a tech reporter from ZDnet, there are several explanations for what happened amid the uncertainty of how the hackers got hold RCE bug’s details to use it for their attacks such. He wrote that the attackers could have discovered the same RCE bug on their own or they obtained the info from an insider with access to Mozilla’s security bugs portal. Furthermore, he also opened the possibility that the hackers compromised a Mozilla employee’s account and accessed the Bugzilla portal’s security section or, they hacked the Bugzilla portal, similar to an incident from 2015.

Cryptocurrency companies are targeted by the attacks

It was fortunate that the attack, which uses the two Firefox zero-days chained into one single exploit and deployed against Coinbase employees, was flagged early and was prevented y Coinbase engineers.

If in case the hack was successful, the hacker could have gained access to the crypto company’s back end server that would allow them to steal funds from the exchange. This is the same technique used by other hackers in the past that has lead to massive losses among crypto companies and have brought a negative reputation on them.

“We walked back the entire attack, recovered and reported the 0-day to Firefox, pulled apart the malware and [infrastructure] used in the attack, and are working with various orgs to continue burning down [the] attacker’s infrastructure and digging into the attacker involved,” Martin said.

“We’ve seen no evidence of exploitation targeting customers,” Martin said, also adding that other cryptocurrency-linked organizations have also been targeted by this group. We are working to notify other orgs we believe were also targeted,” he added.

Leave a Reply

Your email address will not be published. Required fields are marked *