CISA says GitLab account takeover bug is actively exploited in attacks
CISA recently warned that attackers are actively exploiting a maximum-severity GitLab vulnerability that allows them to take over accounts via password resets.
GitLab hosts sensitive data, including proprietary code and API keys, and account hijacking can have a significant impact. Successful exploitation can also lead to supply chain attacks that can compromise repositories by inserting malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments.
Tracked as CVE-2023-7028, the security flaw is due to an improper access control weakness that can allow remote unauthenticated threat actors to send password reset emails to email accounts under their control to change the password and hijack targeted accounts without user interaction.
Analysis from our SOC team
Given the critical nature of the data hosted on GitLab, such an account hijacking can have far-reaching impacts. It can lead to supply chain attacks, compromising repositories by inserting malicious code in CI/CD environments.
Organisations hosting sensitive data on GitLab must urgently apply patches to mitigate the risk of account takeover. Also, attackers can’t exploit this vulnerability if two-factor authentication is enabled. Make sure to enable this security measure whenever possible.
HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems.
Of the 10 security defects, four are rated critical in severity (CVSS v3.1: 9.8) and related to an unauthenticated buffer overflow vulnerability.
Analysis from our SOC team
Ensure that the latest patches are applied to all affected systems and consider upgrading end-of-life (EoL) systems to supported versions. It is also advisable to keep an eye on system logs and investigate any suspicious or unusual activity immediately.
Our SOC is also available to assist in case there are any doubts or suspicions about potential compromise.
Cloud storage giant Dropbox has disclosed a significant breach in its systems, exposing customers’ data to unauthorized entities. The incident, detailed in a new regulatory filing, primarily affected Dropbox Sign, a service akin to DocuSign, allowing users to manage documents online.
The investigation revealed that the attackers accessed various user data, including emails, usernames, phone numbers, hashed passwords and authentication information like API keys and OAuth tokens.
Additionally, as reported in a blog post published by Dropbox, even individuals who interacted with Dropbox Sign without creating an account had their information compromised.
In response, Dropbox has taken measures such as resetting passwords, logging out users from connected devices, and rotating API keys and OAuth tokens.
Analysis from our SOC team
The kind of information accessed by the attackers can be used for a variety of malicious activities, including identity theft and phishing attacks.
Even individuals who interacted with Dropbox Sign without creating an account had their information compromised. This means that the impact of the breach extends beyond just the registered users of Dropbox.
The threat actor also accessed multifactor authentication (MFA) details, so it is highly recommended that you reset these. Make sure you also change passwords for other online services where your Sign service password may be reused.
From April 19 through April 26, Okta’s researchers observed an increase in credential-stuffing attacks against Okta accounts. Moussa Diallo and Brett Winterford, researchers at Okta Security, note that all recent attacks share a common denominator: The requests are made largely through an anonymizing device such as Tor.
In addition to this, the researchers found that millions of requests were routed through various residential proxies such as NSOCKS, Luminati, and Datalmpulse. These residential proxies are “networks of legitimate user devices that route traffic on behalf of a paid subscriber.”
Okta has released a capability into the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) that blocks requests from anonymizing services. This feature can be turned on in the settings of the Okta Admin Console.
Analysis from our SOC team
These attacks are largely made through anonymizing devices such as Tor and routed through various residential proxies. These proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber, making it challenging to trace the origin of the attacks.
Common defence-in-depth measures such as implementing MFA can significantly reduce the risk of account hijacking. It is also recommended to keep an eye on account activity: any unusual account activity, such as a user logging in at an unusual time/location/or source IP address, should be investigated immediately.
Our SOC is also available to assist in case there are any doubts or suspicions about potential compromise.
