Cloud-storage provider DropBox was successfully targeted in a phishing campaign that allowed bad actors to access some of its code stored in GitHub. (Photo by Drew Angerer/Getty Images)

Reports on Tuesday that Dropbox was the target of a phishing campaign that successfully accessed some of the code it stores in GitHub raised eyebrows in security circles because the attackers were able to bypass multi-factor authentication (MFA).

In a blog post, Dropbox researchers said the threat actors moved beyond simply harvesting usernames and passwords to harvesting MFA codes. The researchers pointed out that in September, GitHub detailed one such phishing campaign, in which a threat actor accessed GitHub accounts by impersonating the code integration and delivery platform CircleCI. 

“We recently learned that Dropbox was targeted by a similar campaign,” said the researchers. "On October 14, 2022, GitHub alerted us to some suspicious behavior that began the previous day. Upon further investigation, we found that a threat actor — also pretending to be CircleCI — also accessed one of our GitHub accounts.”

The researchers said on the day Dropbox learned about the incident, they disabled the threat actor’s access to GitHub. Dropbox security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data — if any — was accessed or stolen. They also reviewed their logs, and said they found no evidence of successful abuse.

Attackers look for new ways to bypass protections

While MFA adds an excellent layer of security atop user login credentials, it’s far from foolproof, said Mika Aalto, co-founder and CEO at Hoxhunt. Some vulnerabilities for bypassing MFA, such as via conventional session management and using Oauth, have been found and patched. However, Aalto said malicious actors are always finding new hacks, both manual and automated.

“A manual example might involve a credential harvesting site where instead of redirecting the user after harvesting their credentials, the site will ask for an authenticator code,” Aalto said. “Think about that. The malicious actor has anticipated MFA and is basically asking the victim to hand-deliver the code. Should the authenticator code be given, the attackers would get an alert and quickly log in. After inputting the code, the site will load and then ask for another code, possibly giving the attackers another chance to log in.”

Nick Rago, Field CTO at Salt Security, pointed out that in this case, Dropbox confirmed that the code accessed by the threat actor contained API keys used by Dropbox developers. Rago said it’s unclear from the incident notification what those API keys were used for, what systems they connected to (internal or external), and the extent of the data and functional access the threat actor would have with those API keys.

“Static API keys and other important credentials used by app developers should be secured in some manner and not stored in plain text as part of any 'at rest' application source code,” Rago said. “Data encryption or leveraging a secure data vault offer two common and more secure alternatives. The Dropbox breach serves as a good reminder for organizations to scan their source code repositories to look for any credentials stored in plain text (API keys, passwords) that a threat actor could potentially use if they were to gain access to the repository.” 

Beyond MFA, Matt Mullins, senior security researcher at Cybrary, said security teams should consider what impact a detonated phish can deliver. Mullins said security teams should ask the following questions: Does the company have exposed APIs that someone can authenticate to? If so, is there sufficient logging within the console so that information can be aggregated into a SIEM? What sort of protections does the organization have for detonated malware? Is there EDR/AV correctly tuned with appropriately tested rules? Do you employ sandboxing? Are only certain groups allowed to execute macros?

“These security measures can greatly mitigate the impact of phishing overall for an organization,” said Mullins. “If organizations have some of my suggestions implemented with regular testing (meaning pen tests), they stand to do significantly better in the overall impact and detection than organizations that do not.”

George McGregor, vice president at Approov, said it’s true that phishing attackers have more and more sophisticated methods to bypass protections. The Dropbox case serves as just one example of how attackers are always finding new approaches and techniques and keeping up becomes a game of "whac-a mole" for security teams

McGregor said security teams have to take two steps: First, spend energy and resources to keep up-to-date with threats and attack techniques and try to keep defenses up-to-date. Second, have a detailed plan that's ready to activate when breaches occur. 

“One piece of this contingency plan is the ability to block access of specific users and keys immediately if they are compromised,” McGregor said. “The other is to ensure service continuity by being able to immediately update or rotate compromised keys or authentication tokens across the infrastructure if keys are stolen so that service is never interrupted. “