Weekly Cyber News Roundup

April 27th to May 3rd 2024

Content 

01. News Bites
  • Dropbox Data Breach
  • GitLab account takeover bug is actively exploited
  • Qantas app exposed sensitive traveller details to random users
  • Okta warns of "unprecedented" credential stuffing attacks on customers
02. Conclusion

Quick News Bites

Dropbox Data Breach

Dropbox has disclosed a significant security breach that occurred on the DropBox Sign’s production systems on April 24, affecting its eSignature service, HelloSign, where threat actors gained unauthorized access and exfiltrated customer data, including authentication secrets such as OAuth tokens and API keys. Dropbox have also said that those who use the eSignature platform but did not register an account, their email address and names were also exposed.

This breach features the persistent threat posed by cybercriminals targeting cloud-based services and emphasizes the critical importance of securing customer data. The theft of authentication secrets poses severe risks, potentially enabling threat actors to access sensitive information stored within Dropbox accounts and compromise user data's confidentiality, integrity, and availability. The breach likely occurred due to vulnerabilities in HelloSign's security infrastructure or sophisticated attacks targeting HelloSign users, such as phishing or credential stuffing attacks. The exfiltration of authentication secrets poses severe risks, as threat actors could use them to bypass authentication mechanisms and gain unauthorized access to sensitive data stored within Dropbox accounts.

Integrity360 would recommend that users have a look at the security advisory posted by Dropbox(A recent security incident involving Dropbox Sign - Dropbox Sign - Dropbox) on how to rotate API Keys to receive full privileges again, as Dropbox has restricted how API keys can be used until they are rotated. Additionally, users should also re-set MFA by deleting the configuration of MFA and re-setting it on their authenticator app.

This is a reminder that organizations must enhance their threat detection and incident response capabilities to promptly identify and mitigate security incidents. Collaborative efforts between cloud service providers, customers, and cybersecurity experts are crucial to addressing emerging threats and safeguarding sensitive information stored in cloud environments.

GitLab account takeover bug is actively exploited

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a critical vulnerability allowing for GitLab account takeovers via password resets. This vulnerability presents a severe threat, enabling malicious actors to compromise user accounts and potentially access sensitive data and source code repositories hosted on the GitLab platform.

Tracked as CVE-2023-7028, the security flaw is due to an improper access control weakness that can allow remote unauthenticated threat actors to send password reset emails to email accounts under their control to change the password and hijack targeted accounts without user interaction. The CVE-2023-7028 bug impacts GitLab Community and Enterprise editions, and GitLab fixed it in 16.7.2, 16.5.6, and 16.6.4 and backported patches to versions 16.1.6, 16.2.9, and 16.3.7.

Although attackers can't exploit this vulnerability to hijack accounts where two-factor authentication (2FA) is enabled, it's critical to patch systems where accounts are not protected with this additional security measure.

GitLab security advisory (GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 | GitLab) for this vulnerability strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. If you have not upgraded yet, be aware that there is a newer patch that includes additional fixes for recently discovered DB migration issue. Please upgrade to 16.7.3, 16.6.5, 16.5.7, or newer to prevent the migration issue.

Qantas app exposed sensitive traveller details to random users

The discovery that the Qantas app exposed sensitive traveller details to random users raises significant concerns regarding data privacy and security in the aviation industry. This breach highlights the potential risks associated with digital platforms used for travel management, as it could lead to unauthorized access to personal information, including names, dates of birth, and travel itineraries, by individuals not authorized to view such data.

The exposure of sensitive traveller comes from several users tweeting on the 1st May that they could view other users travel details, including personal identifiable information , boarding passes for upcoming flights and other account information.

Quantas announced that "No further personal or financial information was shared, and customers would not have been able to transfer or use the Qantas Points of other frequent flyers."

The airline also added that they're not aware of any customers traveling with incorrect boarding passes, while it later added processes to ensure the prevention of such a mix-up that could cause delays or safety incidents at the airport.

The data exposure incident in the Qantas app likely occurred due to a misconfiguration or security flaw in the application's access controls or data handling mechanisms. This allowed unauthorized users to access sensitive traveller details by exploiting the vulnerability. The exposure of personally identifiable information (PII) raises concerns regarding the potential for identity theft, fraud, and other malicious activities targeting affected travellers. Additionally, regulatory penalties and legal repercussions may ensue if the incident is found to violate data protection laws.

Okta warns of "unprecedented" credential stuffing attacks on customers

Okta has issued a warning regarding unprecedented credential stuffing attacks targeting its customers, posing a significant threat to user accounts and organizational security. Credential stuffing attacks involve cybercriminals leveraging large-scale automated tools to systematically test stolen login credentials obtained from data breaches on various online services, including Okta's authentication platform. This represents a severe risk as successful attacks could compromise sensitive data, access critical systems, and undermine organizational security posture.

The scale and frequency of these attacks highlight the significant risk posed to organizations utilizing Okta's services and emphasises the need for robust authentication and access controls to mitigate the threat.

Okta has released a security advisory in regards to the credential stuffing attack (How to Block Anonymizing Services using Okta | Okta Security) and how organisations that have implemented Okta into their environment to help mitigate the risk of account takeover. These include passwordless authentication, enforcing multi-factor authentication, using strong passwords, denying requests outside the company's locations, blocking IP addresses of ill repute, monitor and respond to anomalous sign-ins.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

STOCKHOLM | 17 October 2023

Integrity360's flagship conference Security First comes to Stockholm in 2023!

Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.