Join us on November 9 to learn how to successfully innovate and achieve efficiency by upscaling and scaling citizen developers at the Low-Code/No-Code Summit. Register here.
Dropbox has been added to the list of companies that have fallen victim to phishing attacks.
The company announced this week that on October 14, threat actors masquerading as CircleCI gained access to Dropbox employees’ credentials and stole 130 of its GitHub code repositories. GitHub warned Dropbox about the suspicious behavior, which started the previous day.
The code used contained some credentials, which are API keys used by Dropbox developers, the company said. The code and surrounding data also includes several thousand names and email addresses of Dropbox employees, current and former customers, sales leads, and suppliers.
However, Dropbox emphasized in a blog postthat “no one had access to the content, passwords or payment details and that the problem was quickly resolved.”
Contents
Event
Top with little code/no code
Learn how tobuild, scale, and manage low-code programs in a simple way that makes it all a success. Nov 9register your free pass today.
Register here
The company also reported that its core apps and infrastructure were unaffected, as their access is even more restricted and tightly controlled.
“We believe the risk to customers is minimal,” Dropbox says. However, the company said, “We’re sorry we came up short.”
Advanced Phishing
The announcement indicates that, despite awareness and training, phishing remains an important (and successful) method of cyber-attacks. In reality, a new report van Netskope reveals today that while users are more cautious when it comes to recognizing phishing attempts in emails and text messages, they are increasingly falling prey to phishing via third-party websites, blogs and cloud apps.
“In today’s evolving threat landscape, people are inundated with messages and notifications, making phishing lures difficult to detect,” Dropbox wrote. “Threat actors are not only collecting usernames and passwords, but also collecting multifactor authentication codes.”
The best trained employees still fall prey
Security leaders who paid attention to the news emphasized the importance of ongoing training and awareness amid increasingly smarter attacks and scaled techniques.
“Attackers today seem to be moving towards compromising ‘ecosystems’. They want to be able to compromise apps with huge user bases (like Dropbox) and the way they do that is by trying to endanger those in power: the developers,” he said. Abhay Bhargav, CEO and Founder of AppSecEngineera safety training platform.
This particular campaign was aimed at Dropbox developers and/or devops team members, he explained. Attackers set up phishing sites impersonating CircleCI. The attack phished developers and stole their GitHub credentials.
Attackers compromised a developer’s access and used it to steal their API token that could be used to access certain metadata surrounding Dropbox’s employees, customers, and suppliers.
“This is an interesting evolution of phishing as it targets more technical users,” says Bhargav. “This eliminates the myth that only non-technical users fall for phishing attacks.”
Matt Polak, CEO and founder of the cybersecurity company, Picnic Corporationagreed that this sophisticated social engineering attack proves that even the best-trained workers can be compromised.
To mitigate risk, organizations must first and foremost have the ability to monitor and reduce their company’s and employees’ exposure to OSINT frameworks, as attackers need this data to carry out their attacks, he said.
Second, companies must be able to “identify and block the infrastructure and accounts of attackers impersonating them or a trusted third party before they can be used against their people,” Polak said.
What exactly happened?
Millions of developers store and manage the source code in GitHub. In September, the company’s security team discovered that threat actors masquerading as CircleCI — a popular continuous integration and code product — had targeted GitHub users via phishing to collect user credentials and two-factor authentication.
The same situation arose with Dropbox, which uses GitHub to post its public and some of its private repositories. The company also uses CircleCI for select internal implementations. GitHub credentials can be used to login to CircleCI.
In October, multiple Dropboxers received phishing emails masquerading as CircleCI with the intent to target GitHub accounts, Dropbox reported. The systems automatically quarantined some of these emails, but others ended up in inboxes.
These “legitimate-looking” emails sent users to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a one-time password (OTP). to the malicious site.
Threat actors were then given access to 130 Dropbox code repositories, including copies of third-party libraries that were slightly modified for Dropbox use, internal prototypes, and some tools and configuration files used by the security team.
Immediately after being alerted to the suspicious activity, the threat actor’s access to GitHub was disabled. The Dropbox security team immediately coordinated the rotation of all exposed credentials to determine whether customer information (and what kind) was accessed or stolen, the company said. A review of logs found no evidence of successful abuse.
The company said it also hired outside forensic experts to verify these findings, while also reporting the event to appropriate regulators and law enforcement agencies.
Implementing ‘phishing-resistant’ WebAuthn
To avoid similar future incidents, Dropbox said it is accelerating adoption of WebAuthn, “currently the gold standard” of MFA being more “phishing-resistant.” Soon the entire environment of the company will be secured in this way with hardware tokens or biometric factors.
“We know it’s impossible for people to detect every phishing lure,” the company said. “For many people, clicking links and opening attachments is a fundamental part of their job.”
Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered at the right time in the right way, according to Dropbox.
“This is exactly why phishing remains so effective — and why technical checks remain the best defense against these types of attacks,” the company said. “As threats become more sophisticated, these controls become more important.”
The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Discover our briefings.
Janice has been with businesskinda for 5 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider businesskinda team, Janice seeks to understand an audience before creating memorable, persuasive copy.