Jordan here as the editor and this week I'll be looking at what happened in the week of October 31st through November 4th, 2022; as always, a lot of news happened and I'm going to pick the top few things that I think were important and focus on those.
We in F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT
Unfortunately, we can now add Dropbox to the list of data breaches in 2022. Dropbox announced last week that they had fallen victim to a data breach where attackers bypassed multi factor authentication. This appears to be the same campaign Github recently warned us about in September 2022 that was observed to impact other companies. In this campaign, the attackers are sending phishing emails that impersonate CircleCI with the intent to harvest credentials and gain initial access to the victim organization. According to the Dropbox disclosure, after the initial access was gained, attackers were able to obtain "copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team". Dropbox says they took quick action after being alerted by the Github team on the day of the breach by disabling the compromised account, performing internal forensics and even hiring an external auditor to review the breach as well. A silver lining is that Dropbox found only a small percentage of their customer data was accessed, with the risk to those users described as being "minimal". In addtion to the post breach cleanup, Dropbox is also using this as an opportunity to accelerate their adoption of WebAuthn, which is a standard published by the W3C under the FIDO2 project. In short, WebAuthn provides stronger multi factor security over existing tech such as One-time Password multi factor authentication. If it had already been implemented in this scenario, I believe the specific breach could have been avoided as WebAuthn is resilient to the type of phishing used in the attack. Yet another reminder that the constant back and forth between attacker and defender is a never ending cycle and that organizations are under constant pressure to keep up to date with attack trends and their mitigations.
As attackers will often look to exploit the weakest links of any system, blockchain smart contracts continue to be a source that attackers are exploiting for profit. According to a Q3 2022 report from Blockchain Security Alliance, "92% of the loss amount was caused by contract vulnerability exploits and private key compromise". For those new to blockchain technology, smart contracts are the distributed applications which support a variety of the blockchain use cases. All the crypto currency and NFTs you've probably heard about are backed by smart contracts running on a blockchain. Just like any other code written by humans, there are vulnerabilities which attackers are looking to exploit. Inline with what we see in non-blockchain applications, vulnerability classes such as input validation problems, permission issues, and overflows are just as common in smart contracts. While we have alot of history and expertise with "traditional" application security, smart contract security as an emerging discipline is proving difficult. The skillsets, tooling, and complexity involved in auditing these applications is not keeping pace with innovation in this space and as a result, the confluence of factors create a great opportunity for attackers to steal crypto currency and in general cause havoc for blockchain applications. More to come in this space, as more use cases are solved with blockchain technology, more security problems will be found and exploited.
A long standing observation is that attackers love to use a crisis or major news event as lures in their phishing campaigns. Appealing to human emotion and using well known issues has proven to be a good lure, giving a tactical advantage over generic "Prince of <fill in a country here>" type email scams. We've seen this pattern play out many times with natural catastrophes, during the COVID pandemic, and we are now seeing threat campaigns making use of the new Twitter verification process as bait. As with all phishing, user education and awareness on top of technical controls (such as email filtering) is required to combat these scams. Technical controls fail, so it's important for users to be aware of social engineering tactics so they can protect themselves. Hopefully this short summary will help you identify and protect yourself from this specific phishing campaign.