As leaders often see in the cybersecurity industry, various attack vectors, techniques and tactics come and go. However, identity-related attacks seem to be staying more than leaving.
Even Gartner has pointed to credential misuse as a primary attack point. Seven high profile attacks have taken place in just the last 10 months leveraging this new threat vector where the attacker abuses improperly secure non-human identities like API keys, OAuth tokens and service accounts to penetrate an organization’s core systems, steal sensitive data, cause disruption and disappear without anyone noticing. Taking a closer look at these recent attacks, three types of threats have presented themselves, validating why organizations need to secure non-human identities sooner than later.
1. Supply chain attacks
The first type of threat is a supply chain attack where hackers steal an access token from a third-party app vendor and use that token to penetrate an organization. Contrary to the infamous SolarWinds breach, where hackers penetrated through third-party code, in this new generation of supply chain attacks, hackers abuse connections of third-party apps to engineering core systems (like GitHub) via API keys, OAuth tokens and other secrets provided to third-parties — as seen in these recent attacks:
- GitHub: In April 2022, hackers stole OAuth tokens issued to two popular apps — Heroku and Travis-CI — which allowed them to download data from dozens of GitHub repositories that were connected to these apps.
- Mailchimp: In April 2022, threat actors accessed internal API keys used by customer-facing teams, leading to hundreds of compromised Mailchimp credentials and accounts.
- CircleCI: In January 2023, a CircleCI engineering employee’s computer was compromised by malware that bypassed their antivirus solution. This allowed the threat actors to access and steal session tokens, giving them the same access as the account owner, even when the accounts were protected with two factor authentication.
2. OAuth phishing
In today’s society, people are so used to checking the box when a security alert or “terms and conditions” request pops up. In lieu of reading the full disclosure, many employees just click next or yes. It’s that consent fatigue which fuels the second type of threat cybersecurity leaders continue to see: OAuth phishing. Next-gen phishing to be exact, which is when someone impersonates an app and an employee you to click on something. For instance:
- Microsoft OAuth Phishing Attack: In September 2022, hackers deployed malicious OAuth applications on compromised cloud tenants. These apps were then used to control Exchange Online settings and spread spam.
- Microsoft OAuth: Microsoft was hit again in December 2022 when threat actors posed as legitimate companies to enroll in the Microsoft Cloud Partner Program (MCPP.) Once successfully verified, they registered verified OAuth apps in Azure AD for consent phishing attacks targeting corporate users in the U.K. and Ireland.
3. Company access token attacks
The third and final type of threat that we are seeing more and more of is internal, where hackers use company access tokens to move laterally within the organization to gain access to outside repositories — as seen in these two examples here:
- GitHub Personal Access Token: On December 6, 2022, repositories from GitHub’s Desktop and Atom, and other deprecated GitHub-owned organizations, were cloned by a compromised Personal Access Token (PAT) associated with a machine account. The malicious actor then used the PAT to read these repositories, which contained sensitive information.
- Slack GitHub Repositories: In January 2023, Slack discovered that a “limited” number of stolen employee tokens allowed threat actors to gain access to Slack’s externally hosted GitHub repositories, giving them the ability to download private code repositories.
To combat these threats, companies need to extend their access management, threat detection and incident response to non-human identities. Data shows that the number of non-human entities outnumbers human identities by a factor of 45. This statistic alone proves that businesses need to prioritize and obtain full visibility to all of their non-human identities — API keys, OAuth tokens, service accounts and secrets generated whenever a connection is made between apps. The major difference is that a human identity is often protected by multiple layers of security like single sign-on (SSO), multi-factor authentication (MFA), and cloud access security brokers (CASB). On the contrary, non-human entities have little to no protection, resulting in much higher consequences if stolen.
Regardless of the threat that is posed, it's clear from the spike in these attacks that they are only increasing. Even the most trusted vendors like GitHub, Microsoft and Slack are being attacked. Now is the time to secure non-human identities — access tokens, integrations and authentication tools.