Category: INFO

Dropbox says hackers stole customer data, auth secrets from eSignature service

Cloud storage firm Dropbox says hackers breached production systems for its Dropbox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information.

Dropbox Sign (formerly HelloSign) is an eSignature platform allowing customers to send documents online to receive legally binding signatures.

The company says they detected unauthorized access to Dropbox Sign’s production systems on April 24 and launched an investigation.

This investigation determined that the threat actors gained access to a Dropbox Sign automated system configuration tool, which is part of the platform’s backend services.

This configuration tool enabled the threat actor to execute applications and automated services with elevated privileges, allowing the attacker to access the customer database.

“Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,” warns Dropbox.

For those users who used the eSignature platform but did not register an account, their email addresses and names were also exposed.

The company says they found no evidence that the threat actors gained access to customers’ documents or agreements and did not access the platforms of other Dropbox services.

Dropbox says that it reset all users’ passwords, logged out all sessions to Dropbox Sign, and restricted how API keys can be used until they are rotated by the customer.

The company has provided additional information in the security advisory on how to rotate API keys to once again receive full privileges.

Those who utilize MFA with Dropbox Sign should delete the configuration from their authenticator apps and reconfigure it with a new MFA key retrieved from the website.

Dropbox says they are currently emailing all customers who were impacted by the incident.

For now, Dropbox Sign customers should be on the lookout for potential phishing campaigns utilizing this data to collect sensitive information, such as plaintext passwords.

If you receive an email from Dropbox sign asking you to reset your password, do not follow any links in the email. Instead, visit Dropbox Sign directly and reset your password from the site.

In 2022, Dropbox disclosed a security breach after threat actors stole 130 code repositories by breaching the company’s GitHub accounts using stolen employee credentials.

AnyDesk Hacked !!

In a statement shared with Bleeping Computer late Friday afternoon, AnyDesk says they first learned of the attack after detecting indications of an incident on their production servers. 

After conducting a security audit, they determined their systems were compromised and activated a response plan with the help of cybersecurity firm Crowd Strike.

AnyDesk did not share details on whether data was stolen during the attack. However, BleepingComputer has learned that the threat actors stole source code and code signing certificates.

The company also confirmed ransomware was not involved but didn’t share too much information about the attack other than saying their servers were breached, with the advisory mainly focusing on how they responded to the incident.

As part of their response, AnyDesk says they have revoked security-related certificates and remediated or replaced systems as necessary. They also reassured customers that AnyDesk was safe to use and that there was no evidence of end-user devices being affected by the incident.

“We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate,” AnyDesk said in a public statement.

While the company says that no authentication tokens were stolen, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing the password if it’s used on other sites.

The VORACLE attack vulnerability

Description

Security researcher Ahamed Nafeez has ​presented a new attack vector which targets VPN tunnels which utilize compression, named VORACLE. The attack vector bears similarities to the CRIME and BREACH attacks, which hit especially HTTPS based connections.

It has been discovered that it is possible to gain information about an encrypted VPN tunnel’s contents in very specific circumstances, if an attacker has the ability to capture the encrypted data packets while a certain type of data is transferred through the VPN tunnel. By that we mean that if a VPN user visits for example an unencrypted HTTP website through an encrypted VPN tunnel, and this information is being compressed and encrypted through the VPN tunnel, certain clues about the contents of this information can still be gathered if the encrypted packets can be captured and analysed, and data can be fed through the VPN tunnel by the attacker. To explain this better, following below is a simplified example. The example mentioned here is not the only possible attack against encryption combined with compression, and it is also very simplified, but it is useful to explain the principle behind attacks like VORACLE, CRIME and BEAST.

Let’s say Alice has setup a login page. To check passwords entered there, Alice sends a message like “tell me if <the password entered> matches <secret password>” to Bob. This information between Alice and Bob is sent through an encrypted VPN tunnel that also uses compression. The more similar the <the password entered> is to <secret password> the better this message compresses. If the attacker Eve can ask Alice to verify passwords and can see the length of the encrypted VPN messages, she gets a pretty good idea how close her guesses are, since the encrypted messages get shorter when her guesses get better.

Without compression the length of the encrypted packets does not change, so Eve cannot gain any information from this. Strictly speaking the length changes if Eve’s password length changes but that gives no additional information. The real world attacks are more complicated and need to take in account the specific circumstances (for example HTTPS or VPN) but they rely on the same principle as demonstrated in this simple example.

DAAM Virus

An Android malware called ‘Daam’ that infects mobile phones and hacks into sensitive data like call records, contacts, history and camera has been found to be spreading, the national cyber security agency has said in its latest advisory.

The virus is also capable of “bypassing anti-virus programs and deploying ransomware on the targeted devices”, the Indian Computer Emergency Response Team or CERT-in said.

The agency is the federal technology arm to combat cyber attacks and guard the cyber space against phishing and hacking assaults and similar online attacks.

Zero-day Attack

“Zero-day” is a broad term that describes recently discovered security vulnerabilities that hackers can use to attack systems. The term “zero-day” refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it. A zero-day attack takes place when hackers exploit the flaw before developers have a chance to address it.

Zero-day is sometimes written as 0-day. The words vulnerability, exploit, and attack are typically used alongside zero-day, and it’s helpful to understand the difference:

DDOS Attack

What is DDOS Attack ?

A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This can be achieved by thwarting access to virtually anything: servers, devices, services, networks, applications, and even specific transactions within applications. In a DoS attack, it’s one system that is sending the malicious data or requests; a DDoS attack comes from multiple systems.

Generally, these attacks work by drowning a system with requests for data. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.

The impact could range from a minor annoyance from disrupted services to experiencing entire websites, applications, or even entire business taken offline.