On November 1st, the cloud storage corporation Dropbox, Inc., disclosed that they had suffered a breach of their internal GitHub Repositories. The original breach was said to have been discovered due to suspicious activity on one of their private GitHub Repositories, on October 14th. The hackers managed to breach Dropbox’s security via a Phishing Campaign.
The hackers targeted Dropbox employees with complex phishing emails. A large number of the legitimate looking emails were in-fact halted and quarantined, due to Dropbox’s internal mail filtering systems. However, a few managed to slip through the cracks and landed in numerous Dropbox employees inboxes.
The emails used in the Phishing Campaign were said to be impersonating CircleCI, an application development company, known to have been used by Dropbox in the past. The phishing emails contained a hyperlink, which directed users to a fake CircleCI webpage, where they were prompted to enter their GitHub credentials, and to authenticate using their Multifactor Authentication (MFA) method. The phishing emails were said to have issued a warning to users, that their current CircleCI session with GitHub had expired, and they were to follow the link to re-activate. Not two months prior to the breach, GitHub themselves issued warnings to their users to be vigilant when receiving emails from CircleCI.
From the original GitHub Phishing Campaign, Bitdefender writer Silviu Stahie wrote: “If the attack on a user succeeds, criminals could create GitHub personal access tokens (PATs) or even add SSH keys to the account, so it doesn’t matter if the user changes the password. They also download any repositories the hack exposes and even create new GitHub user accounts if the victim’s account has the correct permissions”.
Once a single Dropbox Developer had clicked the link, and entered their login credentials with MFA, the hackers then had access to Dropbox’s private GitHub repositories. They managed to copy 130 code repositories, which stored configuration files, security tools/protocols and internal prototypes used by the security team. They also managed to obtain secret API keys, used by Dropbox Devs for unique identification and authorisation into currently operational APIs.
Thousands of personal information entries were included within the 130 GitHub Repositories cloned, such as names, email addresses, and home addresses of Dropbox Developers, including vendor and customer information. The Dropbox team has stressed that they believe the risk to their customers and customer data is currently minimal and said: “Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected”.
This story highlights the importance of any sized company to have more than appropriate Cyber security measures put in place, bolstered by training and user vigilance. On this occasion, email filtering techniques were implored to reduce the potential for Phishing emails to reach an end user. However, some of the phishing emails did manage to bypass Dropbox’s security measures, due to their sophistication.
The domains used in the phishing emails were strikingly similar to the legitimate CircleCI domains, they did not trigger alarms as they passed through the email filter. Reporting such emails as Phishing allows for security and email filtering companies to improve their ever-changing defence landscape, to keep up with such levels of sophistication.
At Texaport, we understand the importance of these advancements, and we work with our clients to put a reliable system in place to improve their business efficiency. Our team has a wide range of IT knowledge and remains acquainted with the movements in the IT industry. Find out more here.
