Users quickly adopted the cloud storage tool Dropbox at the start of the COVID-19 pandemic to alleviate file sharing issues and facilitate group work. Updates to Dropbox Spaces, a project management tool, reflect this shift, easing communications for remote work.1 The file-sharing company seeks to enhance collaboration and information-sharing within a distributed workforce, both now and in the future.
As Dropbox and other businesses continue to adjust to new workplace requirements, threat actors are increasingly leveraging their services for attacks.
A 260% increase in using encrypted Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic to hide cyber attacks occurred in the first nine months of 2020, according to security company Zscaler.2 More than 30% of all SSL-based attacks hide in collaboration services like Dropbox.3 Threat actors hide malware inside encrypted traffic, enabling their attacks to bypass detection. Dropbox relies on such encrypted traffic to protect data in transit, yet is exploited by these hidden attacks.
Recent espionage campaigns by sophisticated advanced persistent threat (APT) groups demonstrate the appeal of leveraging Dropbox’s encrypted channels. For example, the Russia-based espionage group Turla stored stolen documents from high-value targets on various Dropbox accounts the group controlled as far back as 2015.4 Using a previously undocumented malware toolset named Crutch, Turla bypassed Dropbox’s security layers and blended into normal traffic for years.
There are numerous reports of threat actors of varying motivations and sophistication utilizing file-sharing services to host and disseminate malware. As the COVID-19 pandemic continues, information sharing and virtual collaboration provided by Dropbox will remain a crucial factor for remote work and resulting threat actor abuse.
As of December 2020, Arabic-speaking APT group Molerats is actively conducting a cyber espionage campaign against several government officials in the Middle East.5 The group delivered backdoors and one downloader in phishing documents to execute arbitrary code and collect sensitive data from infected computers. Molerats leveraged Dropbox to covertly store espionage tools and exfiltrate stolen data.
Figure 1: Molerats' latest campaign Infection Chain; Source: Cybereason
Threat actors are likely to continue exploiting Dropbox in conjunction with sophisticated toolsets, potentially for political purposes.
Dropbox’s reputation as a leading file-sharing service makes it a popular target. Its legitimacy allows threat actors to appear authentic to targeted users, which lowers their usual levels of alertness or wariness. Dropbox provides a platform for C&C communications, allowing threat actors to evade detection during their campaigns.
There are several reports of social engineering campaigns mimicking Dropbox. Exploiting Dropbox’s trusted reputation and using its branding makes spoofed links and websites appear legitimate. Domain squatters mimic the legitimate Dropbox domain (dropbox[.]com),6 luring users into giving away their login credentials or infecting their devices with malware.
Since the beginning of 2021, five users have submitted fifteen suspicious emails purporting to target the Dropbox brand to the phishing tracking service PhishTank.7 GroupSense verified many of these submissions as phishing emails, and the actual number of such emails is likely significantly higher than those reported.
Threat actors have been leveraging Dropbox Transfer with COVID-19 relief phishing lures to redirect users to credential harvesting websites.8 Evoking a sense of urgency to the user that file transfers will expire can influence victims to click and download malicious content.
Dropbox was breached in 2012, affecting more than 68 million account holders9 and exposing usernames, emails, and hashed passwords. In 2016, Dropbox forced password resets after discovering accounts exposed from the breach still circulating among threat actors.10
The breach continues to attract interest in underground forums. As recently as February 2021, users were replying to a post offering the database on RAID Forums in 2016.
There have been 11 vulnerabilities reported impacting Dropbox.11 More than half of the vulnerabilities are related to denial of service and authentication bypass.
A zero-day vulnerability in Dropbox was discovered in 2019 by security researchers Decoder and Chris Danieli which allowed threat actors to gain permissions reserved to the privileged SYSTEM account in Windows 10 OS.12
These vulnerabilities are comparatively rare and less likely to present a threat to businesses than phishing and malware distributed via Dropbox.
To protect against these vulnerabilities, GroupSense recommends users ensure they have automatic updates enabled for Dropbox desktop and/or mobile applications or that users manually and periodically update the application. Detailed instructions are available on Dropbox’s site.
Figure 4: Dropbox CVEs (2010-2019); Source: cvedetails.com
GroupSense recommends users engage in phishing awareness training, including examples of phishing campaigns mimicking popular file-sharing services such as Dropbox. Training should highlight that received legitimate emails, including those from no-reply@dropbox.com, can contain malicious links or attachments.
GroupSense additionally advises blocking leaked Dropbox email addresses from the 2012 breach, as these are still receiving attention from threat actors and could be used to host and disseminate malicious content.
Other reputable cloud storage and file-sharing services like Microsoft OneDrive or Google Drive may better suit your business. Regardless of the chosen service, threat actors will still take advantage of all encrypted SSL/TLS security measures.
Businesses should consider limiting file transfers to only one sharing service across the company. This can mitigate phishing and malware distribution that leverage other popular file-sharing sites not approved for use.
Data privacy presents legal obstacles related to inspecting traffic passing to and from their websites for cloud storage services. However, regularly reviewing access logs of company-related cloud storage services can help identify suspicious activity, including interactions with known malicious infrastructures.
References
2https://info.zscaler.com/resources-industry-reports-state-of-encrypted-attacks
6https://exchange.xforce.ibmcloud.com/collection/0d3be87e8d054b0f161998d6503a68dc
7https://www.phishtank.com/target_search.php
9https://www.bbc.com/news/technology-37232635
10https://www.vice.com/en/article/78kevq/dropbox-forces-password-resets-after-user-credentials-exposed
11https://www.cvedetails.com/vulnerability-list/vendor_id-11159/Dropbox.html
12https://www.bleepingcomputer.com/news/security/dropbox-zero-day-vulnerability-gets-temporary-fix/