MFA Bypassed in Dropbox Phishing Attack Targeting GitHub Credentials

Dropbox has announced that it has suffered a phishing-related data breach in which hackers gained access to proprietary code stored in GitHub repositories. The San Francisco-based file hosting service provider said customer accounts were not compromised, but hackers gained access to 130 code repositories on GitHub using credentials stolen from employees after they responded to phishing emails.

Dropbox said no user content, passwords, or payment information has been compromised and its core apps and infrastructure were unaffected but limited information of a few thousand employees, current and former customers, vendors, and sales leads were potentially breached. That information was mostly limited to names and email addresses, so the risk to those individuals is believed to be minimal.

Dropbox was made aware of a potential breach on October 14, 2022, by GitHub, which had identified suspicious activity in its code repositories. The suspicious activity started one day previously, on October 13. Dropbox said code within 130 repositories was accessed by a threat actor, along with some credentials, which were mostly API keys used by its developers. The code repositories included copies of Dropbox’s third-party libraries, which had been slightly modified for use by Dropbox, along with internal prototypes, and some tools and configuration files that were used by its security team. The code for its core apps and infrastructure was not affected, as it is subject to more stringent security controls.

The phishing campaign used emails that impersonated the CircleCI continuous integration and delivery platform. The emails warned users that as part of the integration of CircleCI with GitHub, the privacy policy and terms of use were being updated, and all users were required to review and accept the new privacy policy and terms and conditions in order to continue using CircleCI services. A link was supplied in the emails that directed users to a phishing page where they were informed that their session had expired, requiring them to log back in with their GitHub credentials. The phishing scam used a hyphenated version of the legitimate CircleCI domain.

Dropbox had implemented multifactor authentication, but as has been the case in several recent phishing campaigns, a phishing kit was used as a reverse proxy to relay the credentials on the phishing page to GitHub in real-time as they are entered, along with time-based one-time password (TOTP) codes, which allow multifactor authentication to be bypassed.

GitHub had previously issued a warning that code repositories were being targeted in a phishing campaign, and that several companies that use its services have had their code repositories accessed. According to the GitHub warning, “If the threat actor successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens (PATs), authorize OAuth applications, or add SSH keys to the account in order to preserve access in the event that the user changes their password.”

In the attacks, after accessing accounts, the threat actor quickly downloads private repository content. VPN or proxy providers are used to download data via compromised user accounts, and if the compromised account has organization management permissions, new GitHub user accounts may be created as a further measure to achieve persistence.

The campaign uses several hyphenated phishing domains impersonating CircleCI, the official domain of which is CircleCI.com. The phishing domains identified so far include circle-ci[.]com, emails-circleci[.]com, circle-cl[.]com, email-circleci[.]com, and links-circleci[.]com. Other domains may also have been registered and could be used in this campaign. GitHub said that when suspicious account activity is detected, passwords are reset, and any credentials added by the threat actors are removed. GitHub has been notifying affected individuals when suspicious account activity is detected.

While any form of MFA is better than nothing, phishing campaigns such as this clearly demonstrate that not all forms of MFA are equal. This campaign cannot circumvent MFA that uses hardware security keys or phishing-resistant multifactor authentication such as WebAuthn. WebAuthn is currently the gold standard for multifactor authentication.

Author: NetSec Editor