Cyber Incident Weekly Report - Week of April 29, 2024

Dropbox Confirms Data Breach ??????????????????????????????????????????????????????????????????????????????????????

WHAT HAPPENED: On Wednesday, May 1st, 2024, Dropbox Sign confirmed that threat actors gained access to the Sign production environment, leading to the exposure of customer information, including email addresses, usernames, phone numbers, hashed passwords, authentication data, and data on general account settings. There is currently no indication that payment information was exposed.?

CONCERNING: Dropbox, Data Breach.

SENSCY'S ANALYSIS: While the investigation into the incident is ongoing, Dropbox shared some initial mitigation steps to reduce the breach's impact. The Dropbox security team reset the user’s passwords and logged all users out of any devices connected to Dropbox Sign. In addition, they are coordinating the rotation of all API keys and OAuth tokens for the service. Users are asked to reset their passwords the next time they log into the service with new, never-used, complex passwords. If you are using the API, you will need to rotate your API keys by generating a new one; follow this link for instructions. Customers using an authenticator app along the Dropbox Multi-Factor Authentication should reset it by first deleting their existing entry and only then proceed with the reset, the company said. Those who use SMS for MFA don't need to take action. Based on the data accessed by the threat actors, it is highly likely that additional cyber attacks, including phishing, identity theft, and fraud, will target Dropbox Sign customers. While Dropbox announced they would be reaching out to impacted customers, SensCy recommends taking the mitigation as soon as possible. To check if your email address was leaked in this data breach, use the haveibeenpwned?

Coffee County, GA, Confirm Cyber Attack.?

WHAT HAPPENED: The secretary of state’s office confirmed this week that Coffee County suffered a cyber attack, forcing the county to shut down its access to Georgia’s statewide voter registration system as a precautionary measure. The Cybersecurity and Infrastructure Security Agency (CISA) notified the county of “unusual cyber-activity” on April 15, 2024. While the investigation is ongoing, the county announced that there is no evidence “of exfiltration of data/files, but did indicate cyber-activity by an unknown malicious actor.”

CONCERNING: Coffee County, Georgia, Cyber Attack?

SENSCY'S ANALYSIS: Georgia is familiar with counties being targeted by cyber-attacks. SensCy recently reported on the attack on Fulton County, which was hit by a ransomware attack believed to have been carried out by the Russian-affiliated ransomware group LockBit. While there are no indicators that the two events are linked, threat actors may try to conduct attacks sequentially. Additionally, U.S. counties are usually targeted by actors with political or ideological motives. Whether the actors are state sponsors or independent, they will seek to disrupt government operations, influence elections, or undermine confidence in democratic institutions. Both Fulton and Coffee counties have a history of cyber incidents related to political elections, notably in Coffee County, where former President Trump's allies allegedly unlawfully obtained voting machine software. This history is likely to be the reason why the incident prompted state election officials to show down access to the Georgia voter registration systems. With the upcoming presidential elections, threat actors will likely increase their efforts to target local governments, notably counties, to impact elections on both local and national levels.?

Cleveland Catholic Diocese Confirms Data Breach.??

WHAT HAPPENED: The Cleveland Catholic Diocese confirmed on its website that it suffered a data breach after an unauthorized individual accessed an employee’s email account between December 14, 2023, and January 12, 2024. After an investigation concluded on March 14, it was determined that the individual accessed information containing employees’ personal information; however, the breach did not impact the general public.?

CONCERNING: Cleveland Catholic Diocese, Data Breach, Places of worship.

SENSCY'S ANALYSIS:?While it might seem counterintuitive for threat actors to target a place of worship like the Cleveland Catholic Diocese, they view them as valuable targets due to their financial resources. Dioceses often handle donations, financial transactions, and sensitive financial information. Dioceses also store a significant amount of personal and sensitive information about their employees and their members, and this information can be exploited for identity theft, blackmail, and fraud. The incident at the Cleveland Catholic Diocese indicates that the threat actors accessed the sensitive data by compromising an employee email account. This is the most common vector used by threat actors to gain access to a victim’s systems. Awareness training and educating staff and clergy about cybersecurity best practices are crucial. Training programs should cover topics such as recognizing phishing attempts, creating strong passwords, and handling sensitive information securely. Additionally, staff should be aware of the importance of keeping software and systems up to date to avoid the potential exploitation of a known vulnerability. Finally, developing a comprehensive incident response plan dedicated to cyber incidents enables a quick and effective response during a breach.