A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2

Fibo Quantum

Earlier this week, Mozilla fixed a zero-day vulnerability that was being actively exploited by attackers. It released another security update yesterday when the Coinbase Security team detected a second zero-day vulnerability in Firefox. This update has landed in Firefox 67.0.4 and Firefox ESR 60.7.2.

The two zero-day vulnerabilities

The first one was a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.” It enables an attacker to run malicious code inside Firefox’s native process. This vulnerability was reported by both Coinbase Security team and Samuel Groß, a security researcher with Google Project Zero security team. Groß has reported the vulnerability on Bugzilla back in April 15th.

Sharing the implications of the vulnerability, the tech researcher said, “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape to run code on an underlying operating system. However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.

The second zero-day vulnerability was described as “sandbox escape using Prompt:Open” and is assigned CVE-2019-11708. This highly-critical vulnerability enables the escape of malware from the Firefox protected process and its execution on the targeted host. “Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” the advisory page reads.

The Coinbase attack

Not much detail was out about these attacks and vulnerabilities until yesterday when Martin Phil, Chief Information Security Officer at Coinbase, and his team detected an attack targeting Coinbase employees. Coinbase also said that the attacker might have targeted other cryptocurrency organizations as well. It is now notifying the organizations that it believes have been possibly targeted.

Fortunately, the attack was detected before it was able to do any damage. If it had been left undetected, the attacker could have gained access to the Coinbase backend network and stole funds from exchanges. Phil in his tweets also shared a couple of Indicators of Compromise (IOC) that will give the indication whether a system is affected or not.

Vitali Kremez who specializes in Information Security, Malware Hunting & Carding, Cybercrime Intelligence, speculated that these IOCs were linked to a username “powercat”.

Going by the IOCs, we can say that the attacker would have sent a spear-phishing email to lure victims to a web page. So, if the victims were using a vulnerable Firefox version, the web page would have downloaded and installed the malware on their systems.

The macOS backdoor attack

Not only cryptocurrency organizations, it looks like the attacker has also targeted other Firefox users as well. Yesterday, Patrick Wardle, a macOS security expert published an analysis of a Mac malware. This malware was sent by a user who claimed that it was installed in his fully updated Mac through Firefox’s zero-day vulnerability. Here’s how the email sent by the attacker to this user looked like:

Source: Objective-See

The malware that was installed on the user’s system was called Finder.app, the hash of which completely matched with one of the hashes provided by Martin.

This news sparked a discussion on Hacker News. Many users found it unsettling that Mozilla took two months to deliver the security patch to fix a very crucial bug report. “Really, that Mozilla would let a reported RCE vulnerability simmer for two months until it bit someone would seem to reflect very poorly on their priorities and competence,” a user commented.

Others were rather interested to know how Coinbase discovered this attack. A user commented, “I am more interested in how Coinbase employees discovered the attack. I am assuming nobody clicked the suspicious link and instead took it to a vm for reversing and analysis. It would have been game over if the exploit was actually executed on a non-sandboxed machine.

Read Next

Mozilla releases Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a zero-day vulnerability, being abused in the wild

Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons

Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms