Dark Web Profile: CoinbaseCartel

MITRE Techniques

• [T1078 ] Valid Accounts – The group reuses stolen credentials from infostealer logs to access corporate cloud environments and services (‘Credentials harvested by malware families such as RedLine, Lumma, and Vidar are reused’).
• [T1078.004 ] Valid Accounts: Cloud Accounts – Stolen cloud credentials are used to authenticate to cloud environments and management consoles (‘authenticate against corporate cloud environments’).
• [T1199 ] Trusted Relationship – CoinbaseCartel is linked to use of initial access brokers and trusted access paths (‘linked to the use of Initial Access Brokers’).
• [T1566.004 ] Phishing: Spearphishing Voice – The MITRE table lists voice phishing as an observed initial access technique (‘Phishing: Spearphishing Voice’).
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The group uses built-in admin tools and shell activity for low-noise operations (‘built-in operating system administrative tools’).
• [T1059.006 ] Command and Scripting Interpreter: Python – Custom Python tooling is used to mimic legitimate data export behavior (‘custom Python tooling designed to mimic the legitimate Salesforce Data Loader’).
• [T1136 ] Create Account – Persistence may be established by creating accounts (‘Create Account’).
• [T1098 ] Account Manipulation – The group modifies or abuses accounts for persistence (‘Account Manipulation’).
• [T1003 ] OS Credential Dumping – Listed in the ATT&CK mapping as a privilege escalation method (‘OS Credential Dumping’).
• [T1003.001 ] OS Credential Dumping: LSASS Memory – The table specifically names LSASS memory dumping (‘OS Credential Dumping: LSASS Memory’).
• [T1070 ] Indicator Removal – The group truncates logs and removes traces to hinder investigation (‘truncates log files in bulk’).
• [T1562.002 ] Impair Defenses: Disable Windows Event Logging – CoinbaseCartel disables logging and audit functions (‘disables syslog forwarding, and manipulates system-wide audit settings’).
• [T1090.003 ] Proxy: Multi-hop Proxy – The ATT&CK table lists multi-hop proxying for concealment (‘Multi-hop Proxy’).
• [T1036 ] Masquerading – The table indicates masquerading to blend in with legitimate activity (‘Masquerading’).
• [T1555.003 ] Credentials from Password Stores: Web Browsers – The group targets credentials stored in browsers (‘Credentials from Password Stores: Web Browsers’).
• [T1528 ] Steal Application Access Token – OAuth application abuse is used to obtain tokens for persistent access (‘grant persistent access to cloud environments’).
• [T1580 ] Cloud Infrastructure Discovery – The group identifies cloud assets and repositories to target (‘Cloud Infrastructure Discovery’).
• [T1018 ] Remote System Discovery – It searches for systems and repositories of high value (‘Remote System Discovery’).
• [T1069.002 ] Permission Groups Discovery: Domain Groups – The table lists discovery of privileged groups (‘Permission Groups Discovery: Domain Groups’).
• [T1021.004 ] Remote Services: SSH – Attackers use SSH for lateral movement (‘Remote Services: SSH’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol – RDP is used to move laterally after access (‘Remote Services: Remote Desktop Protocol’).
• [T1021.002 ] Remote Services: SMB/Windows Admin Shares – SMB/admin shares are used for lateral movement (‘Remote Services: SMB/Windows Admin Shares’).
• [T1213 ] Data from Information Repositories – The group collects data from CRM and other repositories (‘Data from Information Repositories’).
• [T1119 ] Automated Collection – Bulk CRM exports and scripted collection are used to gather data (‘enabling bulk CRM exports’).