Dropbox Discloses Phishing Incident Caused by CircleCI Impersonation
Dropbox, a file hosting service giant headquartered in San Francisco, California, disclosed a phishing incident on November 1, 2022, where the threat actor responsible accessed and exfiltrated 130 GitHub repositories. Dropbox utilizes GitHub to host their public repositories as well as a portion of their private repositories. In their statement, Dropbox explained that multiple employees of Dropbox received phishing emails that prompted the user to "visit a fake CircleCI login page, enter their GitHub username and password, and use their hardware authentication key to pass a One Time Password (OTP) to the malicious site." Dropbox confirmed that on October 14, 2022, GitHub alerted of suspicious activity that began the day before. Dropbox immediately investigated the activity and determined that the threat actor impersonating CircleCI accessed one (1) of Dropbox's GitHub accounts where they copied 130 code repositories. This tactic was recently detailed by GitHub in September 2022, when threat actors were targeting GitHub users in various organizations via a phishing campaign disguising as CircleCI to harvest user credentials and two-factor authentication (2FA) codes. Dropbox confirmed that the threat actor at no point had access to Dropbox account content, passwords, or payment information during the security incident, but did state that the code accessed contained some credentials (primarily API keys) used by Dropbox developers. The code also included a "few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors." DropBox noted that it has more than 700 million registered users and there is currently no evidence of successful abuse. CTIX analysts will continue to monitor Dropbox's phishing incident as well as report on additional organizations that fall victim to the previously seen CircleCI impersonation tactic.
Threat Actor Activity
Black Basta TTPs Linked to FIN7 Cybercrime Organization
Attributed indicators from Black Basta cyberattacks have been linked to known infrastructure and tactics, techniques, and procedures (TTPs) of the FIN7 threat organization. Black Basta is a ransomware organization that first emerged in April 2022. Threat actors from Black Basta incorporate double-extortion tactics in their ransomware engagements, first exfiltrating the data from the victim followed by deploying custom ransomware payloads and using the exfiltrated data as leverage in ransom negotiations. FIN7 is a financially motivated cybercriminal group known for their cyber operations attacking the banking, retail, and hospitality industries. Active since 2013, FIN7 has been a major organization within the threat landscape and has been linked to several other threat groups including REvil, DarkMatter, ALPHAV, and potentially Carbanak. In a recent report by SentinelLabs researchers, Black Basta utilizes a defense impairment toolkit that uses the “BIRDDOG” (“SocksBot”) backdoor, which has been used numerous times in FIN7 attacks. Furthermore, the command-and-control (C2) server the malware connects to is hosted by a commonly used FIN7 hosting provider. While this links the groups together, researchers indicate that the relationship resides within the malware development. The developer behind Black Basta's defense impairment toolkit used the same coding structure and techniques as a Cobalt Strike DNS beacon used in FIN7 operations. CTIX continues to monitor threat actors across the landscape and will provide additional updates accordingly.
CISA Publishes Advisory on Critical Vulnerabilities Affecting ETIC Telecom's Remote Access Server
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has provided technical details and mitigations for multiple critical vulnerabilities in Industrial Control System (ICS) software utilized by the France-based ETIC Telecom. The news stems from an advisory published by CISA on November 3, 2022, highlighting the vulnerabilities affecting the company. There are three (3) vulnerabilities impacting ETIC Telecom's Remote Access Server (RAS). The first vulnerability, tracked as CVE-2022-3703, received a CVSS score of 9/10 and is an insufficient verification of data authenticity flaw affecting all versions of ETIC Telecom RAS 4.5.0 and earlier. If exploited, a threat actor could pass a maliciously crafted firmware package, bypassing authentication which could allow backdoor access to the target system. The second vulnerability, tracked as CVE-2022-41607, has a CVSS score of 8.6/10 and is a path traversal flaw, allowing threat actors to access sensitive files and directories stored outside of the web application's root folder. If exploited, threat actors could potentially access critical system and configuration files, and even the application source code. The final vulnerability received a CVSS score of 8.3/10 and is an unrestricted file upload of dangerous type flaw tracked as CVE-2022-40981, which occurs when an application fails to validate or improperly validates file types before uploading them to the system. A dangerous file type is one that can be processed automatically in the target environment; a threat actor could exploit this vulnerability to read arbitrary files and upload malicious files to the target environment. ETIC Telecom has patched these flaws, and their customers are urged to ensure they are running ETIC Telecom RAS version 4.7. This was one (1) of three (3) advisories published by CISA concerning companies utilizing ICS software, with the other two (2) advisories concerning Nokia and Delta Industrial Automation. Information about all of the advisories can be found in the CISA link below.
- ISS Source: ETIC Telecom Vulnerabilities Article
- The Hacker News: ETIC Telecom Vulnerabilities Article
- CISA: ICS Vulnerabilities Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.