The latest inception of phishing attacks is on the horizon. With the pervasiveness of cloud apps and the evolving nature of how they are used, from single-sign-on token integrations, users are being prompted to authorize access in what has become an overlooked attack vector to facilitate data leakage.
The latest inception of phishing attacks is on the horizon. With the pervasiveness of cloud apps and the evolving nature of how they are used, from single-sign-on token integrations, users are being prompted to authorize access in what has become an overlooked attack vector to facilitate data leakage.
Looking back on the year 2022 as it approaches completion, we’ve unfortunately had no shortage of high-profile breaches. Cloud environments continue to be preyed upon at unparalleled rates. Why, you ask? Threat actors view cloud infrastructures as soft targets. And they are continuously refining tactics and tradecraft to exploit the access, vulnerabilities, and misconfigurations within them, ultimately to get their hands on prized possessions. In the case of Dropbox, their “secret sauce” source code was a recent target!
Dropbox is the newest entrant into a growing list of companies such as Uber, Twitch, Samsung, and Nvidia that have had their internal source code repositories targeted and exploited by threat actors.
How did this happen? Sadly, it’s the same old phishing story. Thanks to a crafty phishing email (Figure 1) launched at Dropbox employees, the attackers were able to steal credentials after redirecting users to a fake login page.
Pretending to facilitate integration between their corporate GitHub account and CircleCI’s CI/CD services, the employee would be asked to enter their Dropbox-endorsed GitHub username and password, followed by their hardware-based authentication token to pass through their One Time Password (OTP).
As it turns out, the GitHub account compromised by the attackers belonged to a Dropbox developer. This scored the perpetrators access to approximately 130 internal Dropbox source code repositories stored on GitHub, as well as API keys used by its developers, and a variety of data on Dropbox employees, current and past customers, vendors, and sales leads.
Why do these breaches occur?
As we’ve witnessed in recent attacks, the targeting of internal, privileged users continues to be a hot market for cyber criminals as more valuable data finds it way into the realms of cloud infrastructures.
The nature of this attack involving phishing isn’t exactly novel. Unfortunately, it’s proving impossible for humans to detect every single phishing lure. The reality is that for many people, opening links and attachments is an essential part of their work.
Alarmingly, even the most distrustful, attentive IT expert could fall victim to a meticulously crafted message delivered in the right way at the right time. For this reason, phishing continues to be a vastly successful scheme for attackers. As threats increase in complexity and sophistication, security teams must take heed of appropriate technical controls to limit their organization’s attack surface and protect their prized possessions, namely their highly sensitive, proprietary data.
What can be done?
When talking about threats like phishing, cyber awareness and email safety training are always a wise idea to help employees become more vigilant when faced with devious emails, attachments, links, and the like.
However, sufficient technical controls cannot be discounted due to the high likelihood of users falling victim.
At a bare minimum, security teams must monitor and maintain governance, visibility, and control over the cloud environments – like GitHub – being consumed by their corporate resources. Typically, many teams aim to achieve this by governing access and data leading to and from the cloud service but fall short of implementing and managing consistent security control within the service itself. The reality is that inside these cloud applications and platforms, users – and evidently, attackers – can perform a wide variety of activities that would be deemed “of interest” in the context of keeping the organization’s data and best interests secure.
By allowing security operations administrators to monitor user activity in GitHub, enforce data loss prevention policies, and review User and Entity Behavioral Analytics (UEBA) enriched by machine learning algorithms, security teams can benefit from vastly richer visibility and stronger control, particularly in the case where unauthorized access may have been gained into the corporate GitHub tenancy from a similar phishing attack.
Additionally, in the event of a user mistakenly clicking a phishing link, a capable proxy solution can provide immense value by inspecting the requested web traffic destined to the malicious webpage. In doing so, the proxy solution can immediately detect and protect users from harm, based on the content within the page, the reputation of the web address (especially if its domain has been only recently registered or uncategorized by web reputation engines), and various other attributes.
Here’s how Skyhigh Security picks apart similar content:
