Dropbox breach: Hackers target Github to steal sensitive data
Another week, another high-profile, largely avoidable phishing attack resulted in a large breach. Dropbox has disclosed that attackers breached their systems through an employee's GitHub account. This attack resulted in 130 code repositories being stolen from Dropbox. Thousands of employees, customers, sales leads and vendors had their information stolen. Additionally, the hackers were able to steal the credentials of Dropbox developers.
Beyond its far-reaching scope, what makes this data breach so unfortunate is that, like the recent high-profile Uber hack, this happened due to a fake MFA prompt. For this hack, employees received a fake CircleCI email. This email prompted them to input their login information for a One-Time Password (OTP). The hackers then stole these credentials to gain access to Dropbox's GitHub network. Notably, Dropbox employees were targeted by a similar attack in September. The fact that this was successful is a damning indictment of Dropbox's security training.
All companies, whether as large as Dropbox or as small as a local business, need to ensure their employees are trained not to fall for these scams. Security training is one of the most cost-effective ways to protect against these breaches. Time and time again, attacks like these show that the human element of cybersecurity must not be overlooked. Good security training can prevent harmful breaches down the line.
BEC scams: Hackers impersonate law firms
A phishing email from a threat actor pretending to be a financial institution is well-worn territory, but what about a law firm? Recently, the business email compromise (BEC) group Crimson Kingsnake has begun impersonating prominent law firms. They have been doing this to send victims 'overdue' payment requests for legal services that never occurred. These attacks highlight how dangerous BEC scams can be.
What is a business email compromise?
A business email compromise (BEC) is a cyber attack that targets businesses through email-based fraud. These attacks extract money or information from companies through seemingly legitimate email requests. Because BEC schemes usually include spoofing the email of a trusted sender, companies are less likely to be suspicious of these requests.
Crimson Kingsnake: The new BEC scam artists
Crimson Kingsnake has chosen to impersonate large firms like Deloitte and Monlex International. By recreating their logos and email letterheads, Kingsnake has been able to target the former clients of these firms. This is part of the growing prevalence of BEC scams, which resulted in $2.4 billion in losses in 2021 alone. These scammers are patient, detail-oriented, and cunning. For all organizations, whether or not they deal with law firms, these attacks should not be taken lying down.
Your corporate access for sale: IABs
When hackers breach corporate networks, they sometimes sell this access to other threat actors, who carry out their own hacks. This week, it was reported that an initial access broker (IAB) hacking group is selling access to 576 corporate networks for $4 million.
What are initial access brokers?
Initial access brokers (IABs) are hackers that breach corporate networks to sell this access to other buyers. They are middlemen, passing this information to other hackers without taking on the risk of further attacking these networks.
While $4 million is minor when measured against some of the larger costs associated with breaches, IABs are very dangerous. They allow other hackers to carry out further attacks on these networks. These include data theft, supply chain attacks, ransomware, and many other nefarious things. Because of this, protecting your company against data breaches has become more complicated. Now, there is the added wrinkle of not knowing if the actors trying to hack your network are the final recipients of this access. More than ever, organizations have to ask: Is my environment for sale?