Search This Blog

Showing posts with label Dropbox. Show all posts

Dropbox Security Breach: Unauthorized Access to 130 Source Code Repositories

 

File hosting service, Dropbox reveals on Tuesday that it was the victim of a phishing campaign. The security breach allowed the unidentified threat actor to acquire unauthorized access to one of its GitHub accounts, compromising 130 of its source code repositories. 
 
"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," Dropbox published in an advisory. 
 
Dropbox discovered the breach on October 14, after GitHub reported the company of suspicious activities that began a day before the alert was sent. 
 
Upon further investigation of the security breach, it was disclosed that the source code accessed by the threat actors, contained the development team’s credentials, primarily API keys used by the team. 
 
"The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users)." the company added in the published advisory. 
 
The cyberattack was introduced more than a month after both GitHub and CircleCI reported accounts of phishing attacks. The phishing campaign was allegedly designed in order to access GitHub credentials via fraudulent notifications purporting to be from the CI/CD platform. 
 
These fraudulent emails notified the online users that their CircleCI session has expired, ploying the victims into logging in through their GitHub credentials. 
 
"These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site," explains Dropbox. 
 
Alongside, GitHub in an advisory, stated, "While GitHub itself was not affected, the campaign has impacted many victim organizations." In regards to the recent phishing attacks, Dropbox confirmed that the attackers did not have access to customers’ accounts, password, or payment information, and its core apps infrastructure were not impacted in the breach. "Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled." the company noted.  
 
Furthermore, Dropbox told that it has been working on securing its environment following the security breach, using WebAuthn and hardware tokens or biometric factors.

Google Drive & Dropbox Targeted by Russian Hackers

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.

In recent efforts targeting Western diplomatic stations and foreign embassies globally between early May and June 2022, the threat group APT29 also known as Cozy Bear or Nobelium has embraced this new strategy. However, the phishing documents included a link to a malicious HTML file that was used as a dropper for other harmful files, including a Cobalt Strike payload, to enter the target network.

Google and DropBox were alerted about the operation by Palo Alto Networks, and they took measures to restrict it. Organizations and governments have been cautioned by Unit 42 researchers to maintain a high state of alert. Organizations should be cautious about their capacity to identify, inspect, and block undesirable traffic to legitimate cloud storage providers in light of APT 29's new methods.

APT29, also known as Cozy Bear, Cloaked Ursa, or The Dukes, is a cyber espionage organization that seeks to gather information that supports Russia's geopolitical goals. It also carried out the SolarWinds supply-chain hack, which resulted in the compromising of several US federal agencies in 2020.

The use of cloud services like Dropbox and Google Drive to mask their activity and download further cyberespionage into target locations is what has changed in the most recent versions. According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

The findings also line up with a recent statement from the Council of the European Union that "condemns this appalling behavior in cyberspace" and highlights the rise in hostile cyber actions carried out by Russian threat actors.

In a news release, the EU Council stated that "this increase in harmful cyber actions, in the context of the war against Ukraine, presents intolerable risks of spillover effects, misinterpretation, and possible escalation."







Polonium Assaults Against Israeli Organizations were Blocked by Microsoft

 

Microsoft stated it has banned a hacking gang known as Polonium, based in Lebanon, from utilizing the OneDrive cloud storage platform for data exfiltration and command and control while attacking and compromising Israeli firms. The internet giant's Threat Intelligence Center (MSTIC) stated it stopped over 20 malicious OneDrive apps built by Polonium and alerted affected companies, in addition to erasing the criminal accounts created by the Lebanon-based entity. 

"Across the majority of its victims, this attacker has deployed unique tools that abuse lawful cloud services for command and control (C2)." as per Microsoft's research. "POLONIUM was seen generating and using legal OneDrive accounts, then using those accounts as C2 to carry out part of the offensive operation," says the report. 

POLONIUM has been seen operating on or targeting various organizations previously penetrated by the Iran-linked MuddyWater APT (aka MERCURY). 

Since February 2022, the antagonistic group is thought to have breached more than 20 Israeli institutions and one intergovernmental body with operations in Lebanon. Manufacturing, IT, transportation, defense, government, agriculture, finance, and healthcare companies were among the targets of interest, with one cloud service provider hacked to target a downstream aviation company and law firm in a supply chain attack.

Unpatched Fortinet FortiOS SSL VPN servers vulnerable to CVE-2018-13379 exploits leveraging a critical path traversal weakness allowing login credentials theft appear to represent the first access vector for the vast majority of victims, according to Microsoft. In November 2020, a hacker disclosed the passwords for nearly 50,000 vulnerable Fortinet VPNs, just days after a list of CVE-2018-13379 one-line exploits was publicly disclosed. 

A list of roughly 500,000 Fortinet VPN passwords supposedly harvested from susceptible devices was posted online again almost a year later. The actor's campaign chains have included the usage of proprietary tools that use genuine cloud services like OneDrive and Dropbox accounts for C2 and malicious tools named CreepyDrive and CreepyBox for its victims.

This isn't the first time Iranian threat actors have used cloud services to its advantage. Cybereason revealed in October 2021 that a group called MalKamak organized an attack campaign that use Dropbox for C2 communications to remain under the radar. 

MSTIC also stated that several of the victims penetrated by Polonium had previously been targeted by another Iranian entity known as MuddyWater (aka Mercury), which the US Cyber Command has described as a "subordinate element" under MOIS. The victim overlaps support previous reports that MuddyWater is a "conglomerate" of several teams similar to Winnti (China) and the Lazarus Group (North Korea). 

Customers are encouraged to implement multi-factor authentication as well as analyze and audit partner relations to minimize any superfluous permissions to combat such risks.

Russian Groups are Plagued by OldGremlin Ransomware Threat

 

The new cyber-crime squad, known as OldGremlin, is actively targeting banks, medical institutions, software developers, and industrial firms, among other targets. The gang differentiates from all other ransomware groups by launching a limited number of campaigns – just under five since early 2021 – which solely target Russian firms and employ proprietary backdoors developed in-house.

OldGremlin has claimed ransoms as large as $3 million from one of its victims, despite being less active, which may indicate the ransomware business is approaching moonlighting. Two phishing attacks that were conducted near the end of March 2022 constitute the most current OldGremlin activities. It might be too early to say how many organizations were attacked, but security experts say roughly one Russian mining corporation is on the list of victims. The adversary did not deviate from its previously observed strategy of exploiting trending news topics to gain initial access. 

As per cybersecurity experts at Singapore-based cybersecurity firm Group-IB, this time OldGremlin scammed a senior auditor at a Russian financial organization, advising that the Visa and Mastercard payment service systems will be suspended due to recent sanctions placed on Russia.

The email directed recipients to a malicious Dropbox document that downloads TinyFluff, a backdoor that opens the Node.js interpreter and grants the attacker remote access to the target system. The email then allowed OldGremlin remote access to the machine via a malicious file that used a backdoor known as "TinyFluff," which the gang upgraded from a prior backdoor known as "TinyNode." The target receives a ransom note once the attacker has gained access to the system and has access to system data. A mining business, according to Group-IB, is one of the possible victims. 

Another well-known ransomware group, NB65, has been trying to frustrate Russian operations, including the alleged theft of 900,000 emails and 4,000 files from the state-owned television and radio broadcasting network VGTRK. In March, the organization exploited released source code from the Conti Ransomware gang – a Russia-linked threat actor — to create distinct ransomware for the first time. 

The researchers can study the directives for these steps of the assault using a traffic sniffer because they are provided in cleartext.
  • Gathering data on the infected system or device. 
  • Collecting information about the drives that are connected.
  • Executing a command in the cmd.exe shell and passing the output to the command and control server (C2) 
  • Receiving information about the system's installed plugins.
  • Obtaining information about files on the system drive's specified folders puts an end to the Node.js interpreter.
  • Before executing the last step of the assault, TinyCrypt/TinyCryptor, the group's proprietary ransomware payload, OldGremlin can spend months within the infiltrated network. 
The gang only ran one phishing effort in 2021, but it was enough to keep them occupied for the entire year as it gave them initial access to a network of various firms. Apart from the target Russian mining company, Group-IB believes that a higher number of OldGremlin victims will be discovered this year as a result of the group's March phishing operation. 
 
The researchers believe OldGremlin has Russian-speaking members based on the evidence they collected and after examining the quality of the phishing emails and decoy papers. They called the group's understanding of the Russian terrain "astonishing." OldGremlin defies the mold by focusing solely on Russian businesses including banks, industrial corporations, medical institutions, and software producers.

Hackers Linked to Palestine Use the New NimbleMamba Malware

 


A Palestinian-aligned hacking organization has used a novel malware implant to target Middle Eastern governments, international policy think tanks, and a state-affiliated airline as part of "highly focused intelligence collecting activities." The discoveries by Proofpoint researchers detail the recent actions of MoleRATs in relation to a renowned and well-documented Arabic-speaking cyber organization, and the ongoing installation of a new intelligence-gathering trojan known as "NimbleMamba." 

To verify all infected individuals are within TA402's target zone, NimbleMamba employs guardrails. The Dropbox API is used by NimbleMamba both to control and also data leakage. The malware also has a number of features that make automated and human analysis more difficult. It is constantly in creation, well-maintained, and is geared to be employed in highly focused intelligence collection programs. 

MoleRATs, also known as TA402, operators are "changing the methodologies while developing these very neatly done, specialized and well-targeted campaigns," according to Sherrod DeGrippo, Proofpoint's vice president of threat analysis and detection. 

Reportedly, TA402 sends spear-phishing emails with links to malware distribution sites. Victims should be inside the scope of the attack, otherwise, the user will be rerouted to credible sources. A version of NimbleMamba is dumped on the target's machine inside a RAR file if its IP address fulfills the selected targeted region. Three separate attack chains were discovered, each with minor differences in the phishing lure motif, redirection URL, and malware-hosting sites. 

In the most recent attacks, the perpetrators pretended to be the Quora website in November 2021. The customer would be rerouted to a domain that served the NimbleMamba virus if the target system's IP address fell under one of around two dozen geofenced country codes. The user would be sent to a respectable news source if this was not the case. 

Another effort, launched in December 2021, employed target-specific baits including medical data or sensitive geopolitical information, and delivered malware via Dropbox URLs.

In yet another campaign, which ran from December to January, the hackers employed different baits for each victim but delivered malware via a hacker-controlled WordPress URL. The hacker-controlled URL only enabled attacks on targets in specific nations. 

NimbleMamba contains "various capabilities intended to confuse both automatic and manual analysis," reiterating that the malware "currently being produced, is well-maintained, and tailored for use in highly focused intelligence collection programs," the researchers told. 

Bug Bounty Hunter Finds Google Drive Integration Vulnerability

Implementation vulnerabilities in Google Drive integrations created various server-side-request-forgery (SSRF) flaws in various applications, say cybersecurity experts. It also includes Dropbox's HelloSign, a digital signature platform, however, the latest SSRF was gained by CRLF and asks pipeline in other, anonymous applications, says Bug Bounty hunter Harsh Jaiswal. Jaiswal won a bounty reward of $17,576 for a basic but important SSRF associated with HelloSign's Google Drive Docs export feature. 

If one uses an extra parameter in Google Drive API, it is possible for experts to compelled HelloSign for parsing external JSON data that leads to an SSRF attack. Dropbox has updated the parser securely making a request mitigating the flaw. 

The implementation issues surfaced in integrations that retrieved files from Google Drive API in the servers. To explain the issue, Jaiswal laid out a situation where an app collects and renders an image file in Google Drive in a way that allows hackers to gain control of HTTP requests made to Google APIs via file ID. A user can make a path traversal, adding query parameters. 

The Daily Swig reports "Jaiswal began the research in 2019 after speculating that he might be able to get an open redirect on Google APIs, but this turned out to be unviable. However, he found another route to SSRF. Because the alt=media parameter served the entire file rather than the JSON object, when the application parsed the JSON and extracted downloadUrl, attackers could gain control over downloadUrl." A payload consisting of a malicious JSON element download Url. 

The SSRF through CRLF and pipeline was discovered on a private bug bounty competition and linked to Google Drive slides retrieval. Only the path traversal technique worked and not the query parameters. "Using this I was able to craft a new request to www.googleapis.com with my controlled query params using request pipelining. If there’s a custom implementation of [Google Drive] and no sanitization is done it could cause this bug," reports the Daily Swig.