Dropbox recently announced it had been the target of a phishing attack that resulted in the threat actor(s) accessing some code the company had stored on GitHub.
The file hosting service was alerted by GitHub of some suspicious activity on October 14th and immediately began an investigation into the incident. Dropbox learned that a threat actor impersonating CircleCI, a code integration and delivery platform, had accessed one of its GitHub accounts. Dropbox says:
"At no point did this threat actor have access to the contents of anyone’s Dropbox account, their password, or their payment information. To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers.
The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users)."
It also noted that its core apps and infrastructure were unaffected and that it believes risks to customers are minimal.
What happened in the Dropbox phishing attack?
In the beginning of October, many Dropbox users received phishing emails made to look like they originated from CircleCI, with the purpose of targeting GitHub accounts. Dropbox uses GitHub to host public and private repositories, and uses CircleCI for some internal deployments.
Though Dropbox's security systems blocked a majority of the emails, some still made their way into employees' inboxes. The phishing emails contained fraudulent links to a fake CircleCI login page that asked for a GitHub username and password, as well as a hardware authentication key to pass a One Time Password (OTP) to the malicious site.
Like many persistent phishing campaigns, this eventually worked, and the threat actor copied 130 Dropbox code repositories. Dropbox discusses:
"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled."
How is Dropbox responding to this phishing incident?
Everyone acknowledges the inherent flaws that humans have when it comes to cybersecurity. Nobody is perfect, and eventually even the most savvy professionals can be fooled by sophisticated threat actors.
This is something that Dropbox pointed out in its statement regarding the phishing incident, but it also apologized to anyone who may have been affected. Dropbox says one thing it is doing to prevent incidents like this in the future is accelerating its adoption of WebAuthn, noting that it is currently the "gold standard" in multi-factor authentication (MFA).
But what else can organizations do to protect themselves? Nick Rago, Field CTO at Salt Security, shares his thoughts with SecureWorld News:
"As social engineering attack techniques become more and more sophisticated, organizations must adopt a Zero Trust mentality with code artifacts as much as possible to stay ahead of threats that can arise when an outsider gains access to code repositories.
The Dropbox breach serves as a good reminder for organizations to scan their source code repositories to look for any credentials stored in plain text (API keys, passwords, etc.) that a threat actor could potentially use if they were to gain access to the repository. Additionally, this type of threat illustrates why organizations require runtime API security, which can detect and prevent API abuse if an API key was compromised and used in an API attack."
Craig Lurey, CTO and Co-Founder of Keeper Security, also discussed the Dropbox incident:
"This incident is the latest example of why managing IT secrets is a pain point for many companies, although it does not have to be. Hardcoded credentials—user IDs and passwords written directly into source code—are notoriously insecure, yet maddeningly common. They're seen in industrial control systems used to run manufacturing lines, utilities, and critical infrastructure, as well as major software companies and all manner of IoT devices.
To protect against this type of attack, organizations must implement a full security suite to manage passwords, credentials, files, and shared secrets—on all devices. A secrets manager must be zero-knowledge and encrypted to the endpoint, so credentials and other secrets are never exposed in plaintext format."
Follow SecureWorld News for more stories related to cybersecurity.
