Join us on November 9 to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers at the Low-Code/No-Code Summit. Register here.
Dropbox has been added to the list of companies that have fallen prey to phishing attacks.
The company announced this week that, on October 14, threat actors impersonating as CircleCI gained access to Dropbox employee credentials and stole 130 of its GitHub code repositories. GitHub alerted Dropbox to the suspicious behavior, which had begun the previous day.
The code accessed contained some credentials, namely API keys used by Dropbox developers, the company said. The code and the surrounding data also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads and vendors.
However, Dropbox emphasized in a blog post, that “no one’s content, passwords, or payment information was accessed, and the issue was quickly resolved.”
Learn how to build, scale, and govern low-code programs in a straightforward way that creates success for all this November 9. Register for your free pass today.
The company also reported that its core apps and infrastructure were unaffected, as their access is even more limited and strictly controlled.
“We believe the risk to customers is minimal,” Dropbox said. However, the company said, “We’re sorry we fell short.”
The announcement indicates that, despite awareness and training, phishing remains a significant (and successful) method for cyberattackers. In fact, a new report from Netskope out today reveals that, while users are warier when it comes to spotting phishing attempts in emails and text messages, they are increasingly falling prey to phishing via websites, blogs and third-party cloud apps.
“In today’s evolving threat landscape, people are inundated with messages and notifications, making phishing lures hard to detect,” Dropbox wrote. “Threat actors have moved beyond simply harvesting usernames and passwords, to harvesting multifactor authentication codes as well.”
The best trained employees still fall prey
Security leaders weighing in on the news emphasized the importance of continued training and awareness amidst increasingly savvier attacks and scaled-up techniques.
“Attackers today seem to be moving towards compromising ‘ecosystems.’ They want to be able to compromise apps that have massive user bases (like Dropbox) and the way they are doing that is by attempting to compromise the people in power: The developers,” said Abhay Bhargav, CEO and founder of AppSecEngineer, a security training platform.
This particular campaign targeted Dropbox developers and/or devops team members, he explained. Attackers set up phishing sites “masquerading” as CircleCI. The attack phished developers and stole their GitHub credentials.
Attackers compromised a developer’s access and used that to steal their API token that could be used to access some metadata around Dropbox’s employees, customers and vendors.
“This is an interesting evolution of phishing, as it is oriented towards more technical users,” said Bhargav. “This eliminates the myth that only non-tech users fall for phishing attacks.”
Matt Polak, CEO and founder of the cybersecurity firm, Picnic Corporation, agreed that this sophisticated social engineering attack proves that even the most well-trained employees can be compromised.
To reduce risk, organizations should, first, have the capability to monitor and reduce their company and employee OSINT framework exposure, as attackers need this data to craft their attacks, he said.
Secondly, companies need to be able to “identify and block attacker infrastructure and accounts that impersonate them or a trusted third party before these can be leveraged against their people,” said Polak.
What exactly happened?
Millions of developers store and manage source code in GitHub. In September, the company’s security team learned that threat actors impersonating CircleCI — a popular continuous integration and code product — had targeted GitHub users via phishing to harvest user credentials and two-factor authentication.
The same situation occurred with Dropbox, which uses GitHub to post its public and some of its private repositories. The company also uses CircleCI for select internal deployments. GitHub credentials can be used to log in to CircleCI.
In October, multiple Dropboxers received phishing emails impersonating CircleCI with the intent of targeting GitHub accounts, Dropbox reported. Its systems automatically quarantined some of these emails, but others landed in inboxes.
These “legitimate-looking” emails directed users to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a one-time password (OTP) to the malicious site.
Succeeding, threat actors got access to 130 Dropbox code repositories, which included copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team.
Immediately upon being alerted to the suspicious activity, the threat actor’s access to GitHub was disabled. The Dropbox security team immediately coordinated the rotation of all exposed credentials to determine whether customer information (and what kind) was accessed or stolen, the company said. A review of logs found no evidence of successful abuse.
The company said it also hired outside forensic experts to verify these findings, while also reporting the event to the appropriate regulators and law enforcement.
Implementing ‘phishing-resistant’ WebAuthn
To prevent similar future incidents, Dropbox said it is accelerating its adoption of WebAuthn, “currently the gold standard” of MFA that is more “phishing-resistant.” Soon, the company’s whole environment will be secured by this method with hardware tokens or biometric factors.
“We know it’s impossible for humans to detect every phishing lure,” the company said. “For many people, clicking links and opening attachments is a fundamental part of their job.”
Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time, said Dropbox.
“This is precisely why phishing remains so effective — and why technical controls remain the best protection against these kinds of attacks,” the company said. “As threats grow more sophisticated, the more important these controls become.”