The Dropbox incident raises questions about the extent to which security professionals can depend on MFA

Cloud storage provider DropBox was successfully targeted in a phishing campaign that gave bad actors access to some of its code stored in GitHub. (Photo by Drew Angerer/Getty Images)

Reports on Tuesday that Dropbox was the target of a phishing campaign that managed to gain access to some of the code it stores in GitHub raised eyebrows in security circles because attackers were able to bypass multi-factor authentication (MFA).

In a blog post, Dropbox researchers said threat actors went beyond simply collecting usernames and passwords to collect MFA codes. The researchers pointed out that in September, GitHub detailed one of those phishing campaignsin which a threat actor gained access to GitHub accounts by impersonating the CircleCI code delivery and integration platform.

“We recently learned that Dropbox was the target of a similar campaign,” the researchers said. “On October 14, 2022, GitHub alerted us to suspicious behavior that began the previous day. Upon further investigation, we discovered that a threat actor – also claiming to be CircleCI – had also accessed one of our GitHub accounts.”

The researchers said the day drop box learned of the incident, they disabled the threat actor’s access to GitHub. Dropbox security teams took immediate action to coordinate the rotation of all exposed developer credentials and determine what customer data, if any, was accessed or stolen. They also reviewed their logs and said they found no evidence of successful abuse.

Attackers are looking for new ways to bypass protections

Although MFA adds an excellent layer of security on top of user login credentials, it’s far from foolproof, said Mika Aalto, co-founder and CEO of Hoxhunt. Some vulnerabilities to bypass MFA, such as through conventional session management and the use of Oauth, have been found and fixed. However, Aalto said malicious actors are always finding new hacks, both manual and automated.

“A manual example might involve a credential collection site where, instead of redirecting the user after collecting their credentials, the site will ask for a passcode,” Aalto said. “Think about it. The malicious actor anticipated MFA and basically asks the victim to hand-deliver the code. If the passcode was given, the attackers would get an alert and quickly log in. After entering the code, the site would load and then ask for another code, possibly giving attackers another chance to log in.

Nick Rago, Field CTO at Salt Security, pointed out that in this case, Dropbox confirmed that the code the threat actor had access to contained API keys used by Dropbox developers. Rago said it is unclear from the incident notification what these API keys were used for, what systems they connected to (internal or external), and the scope of data and functional access the threat actor would have with these API keys.

“Static API keys and other important credentials used by application developers should be somehow secured and not stored in plain text as part of any application source code” at rest ‘” Rago said. “Data encryption or the use of a secure data vault offer two common and more secure alternatives. The Dropbox breach is a good reminder for organizations to scan their source code repositories for any credentials stored in plain text (API keys, passwords) that a malicious actor could potentially use if they accessed the repository.

Beyond the MFA, Matt Mullins, senior security researcher at Cybrary, said security teams should consider the impact that explosive phishing can have. Mullins said security teams should ask themselves the following questions: Does the company have exposed APIs that someone can authenticate against? If so, is there enough logging in the console so that the information can be aggregated into a SIEM? What kind of protections does the organization have against malware exploded? Is there a properly tuned EDR/AV with appropriately tested rules? Do you use the sandbox? Are only certain groups allowed to run macros?

“These security measures can significantly mitigate the overall impact of phishing for an organization,” Mullins said. “If some of my suggestions are implemented by organizations with regular testing (i.e. penetration testing), they should do significantly better in terms of overall impact and detection than organizations that don’t.”

George McGregor, vice president of Approov, said it’s true that phishing attackers have increasingly sophisticated methods to circumvent protections. The Dropbox case is just one example of how attackers are always finding new approaches and techniques and tracking becomes a “whac-a-mole” game for security teams

McGregor said security teams need to take two steps: first, expend energy and resources to keep abreast of threats and attack techniques and try to keep defenses up to date. Second, have a detailed plan ready to be activated in the event of a breach.

“Part of this contingency plan is the ability to immediately block access to specific users and keys if they are compromised,” McGregor said. “The other is to ensure continuity of service by being able to immediately update or rotate compromised keys or authentication tokens in the infrastructure if the keys are stolen so that service is never interrupted. . “


Comments are closed.