Hackers have been abusing not one, but two flaws, in the Firefox browser to secretly deliver macOS malware to employee computers at the cryptocurrency exchange Coinbase.
Two days ago, Mozilla issued a patch to fix the first vulnerability, which grabbed headlines for how hackers were actively exploiting it to take over computers. Now more details about the attacks have emerged: On Wednesday, Coinbase's chief information security officer Philip Martin revealed that the Firefox flaw was used to target machines used by company employees.
"We've seen no evidence of exploitation targeting customers. (But) We were not the only crypto org targeted in this campaign," he said over Twitter. "We are working to notify other orgs we believe were also targeted."
According to Martin, the attacks leveraged an additional "sandbox escape" flaw in Firefox that let the hackers remotely execute code over the affected computers, and deliver a macOS malware known as Netwire. "We walked back the entire attack," he said, noting Coinbase detected and then blocked the activity on Monday. In addition, the company has captured samples of the malware, which are now available on Chronicle's VirusTotal, a repository for computer viruses and malicious code.
According to VirusTotal, most security software fails to detect the Netwire macOS malware as a threat.
In response to the attack, Firefox's developer, Mozilla, issued another patch to fix the second "sandbox escape" flaw. To install it, update the browser to version 67.0.4.
"It should be noted that the first patch we deployed was effective in eliminating the primary threat initially reported and this second patch and subsequent update was done to block this avenue from being exploited in any subsequent malicious attacks when paired with a potential new bug," said Selena Deckelmann, a senior director of engineering at Firefox.
As for the Netwire malware involved, security researchers have been analyzing the captured samples. Brandon Levene, head of applied intelligence at the security firm Chronicle, told PCMag the malicious code appears to be a backdoor, which can steal information from the machine.
Recommended by Our Editors
Mac security researcher Patrick Wardle was also given a sample of the malware from an apparent victim of the attacks. In a blog post, Wardle said the mysterious hackers launched their scheme by sending a phishing email claiming to come from a mathematical awards organization at the University of Cambridge. Inside the email was a link to a website, which was designed to trigger the Firefox vulnerabilities and deliver the macOS malware.
Wardle said the Netwire malware was first discovered in 2012 by the antivirus firm Dr. Web, and that it was originally designed to steal passwords from both macOS and Linux systems. A separate security researcher, Vitali Kremez, has also found Netwire samples that have targeted Windows computers.
Woman arrested for entering Trump’s resort with malware-riddled USB
Get Our Best Stories!
Sign up for What's New Now to get our top stories delivered to your inbox every morning.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
