Exploiting Authorisation Sprawl Is the New Black

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Trail of Bits .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

The Salesloft Drift breach is a great example of the sprawling impact that a breach of a single service provider can have. Given that modern business models routinely involve software-as-a-service, these kinds of single-compromise-large-blast-radius attacks will become the new norm.

Salesloft's Drift application is an AI chatbot used by companies to convert website visitors into sales leads. Because it is typically integrated into Salesforce, its recent compromise has resulted in the theft of a large volume of Salesforce data from potentially hundreds of organisations. That stolen data also includes authentication tokens for various other services. 

The breach began with the compromise of Salesloft's GitHub account in March . Over three months the threat actor conducted reconnaissance and downloaded content from multiple repositories. The actor, which Google is tracking as UNC6395, then moved to Drift's AWS environment and stole OAuth tokens for Drift's customers.

Google's Threat Intelligence Group said that after obtaining these tokens:

The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.

One of the victim organisations, Cloudflare, said the threat actor "dedicated hours to conduct comprehensive reconnaissance of Cloudflare's Salesforce tenant". Its report into the incident says: 

The threat actor completed their reconnaissance with additional queries to understand how our customer support system operates—including how team members handle different types of cases, how cases are assigned and escalated, and how our support processes work—and then queried the /limits/ endpoint to learn the API's operational thresholds. The queries run by GRUB1 [Cloudflare's name for the threat actor] provided them with insight into their level of access, the size of the case objects, and the precise API limits they needed to respect to avoid detection within our Salesforce environment.

After several days of scoping out the environment the actor downloaded support case data from Cloudflare's Salesforce instance in around three minutes. This data included customer contact details, subject lines and also freeform text. While it did not include attachments or files, Cloudflare found that 104 of its API tokens had been typed or copied into the text field. So we expect that sensitive data including access tokens or secrets will also have been stolen from other victims. 

Salesloft says it has evicted the attackers, hardened its environment and rotated credentials. However, all of its customers should do the same: identify access tokens that were available to the Salesloft, rotate them and search for evidence of attackers having used them. A large number of organisations have already confirmed they were affected by the breach. 

This type of authorisation sprawl attack, where attackers use stolen access tokens to steal even more access tokens, is becoming the TTP du jour . Fun times ahead!

Apple Launches Memory Integrity Enforcement 

This week Apple announced Memory Integrity Enforcement (MIE), which it believes is "the most significant upgrade to memory safety in the history of consumer operating systems". 

We took a look at memory safety vulnerabilities last year , but as a quick refresher they are a class of vulnerabilities that stem from how computers read, write and manage memory. They have a long history, but despite various hardware and operating system mitigations they are still quite commonly exploited. The US and other allied governments have actively promoted memory safety efforts. 

Apple says that MIE "will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products." 

Unlike many vendors, Apple makes the hardware and the software for its devices in-house, and claims it dedicated "an extraordinary amount of Apple silicon resources to security" in the latest updates to its chips. Apple claims the hardware and software changes it's made have been able to improve memory safety without imposing a prohibitive performance cost. 

The work sounds like a real journey. The company's offensive research team spent five years attacking the system as it was being developed. This started with initial theoretical attacks and then evolved to practical attacks in simulated environments and finally to real attacks on prototype hardware. Apple says this prolonged engagement "allowed us to identify and eradicate entire attack strategies and techniques before attackers could ever discover them". 

This work will serve to mitigate attacks that affect the vanishingly small proportion of Apple's customer set that is targeted by mercenary spyware. Indeed, in the blog post announcing MIE, Apple noted that there has never been a widespread malware campaign that was able to compromise the company's iOS devices. Any way you slice or dice it, this is above and beyond.

Apple's MIE legitimately advances the science of security engineering, and other technology companies will undoubtedly learn from it. All in all, it's terrific work.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Mandatory MFA for Azure admins: Microsoft has announced that mandatory MFA will be rolled out for Azure admins starting from October.  
2. Qantas cuts executive bonuses over breach: Australian airline Qantas has cut executive bonuses by 15% in the wake of a breach in June . The company's annual report says the decision was taken to demonstrate a commitment to "creating a culture of accountability and ownership". 
3. US sanctions scam centres: The Treasury Department has sanctioned multiple entities associated with scam compounds across Myanmar and Cambodia. The Treasury's action targets Shwe Kokko, a major scam hub in Myanmar on the Thai border and several companies associated with Cambodian scam centres.  

Sponsor Section

In this Risky Business sponsor interview, Casey Ellis chats with Keith Hoodlet from Trail of Bits. Keith is Trail of Bits’ director of engineering for AI, machine learning and application security and he joined Casey to talk about why prompt injection attack techniques that target AI are an unsolvable problem.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about the trend toward outrageously complicated exploits and what it means for hacking and cyber espionage.

Or watch it on YouTube!

From Risky Bulletin :

US charges major ransomware figure: The US Department of Justice unsealed charges on Tuesday against a major figure in the ransomware underground, a Ukrainian national who was involved in or managed at least seven ransomware platforms.

The charging documents identify Volodymyr Viktorovich Tymoshchuk as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations.

From his role, he coordinated or was involved in the hacks and extortions of more than 250 US organizations, and hundreds more around the world.

[ more on Risky Bulletin ]

APT report? No, just a phishing test! Kazakhstan's state-owned oil and gas company KazMunayGas has dismissed a report about a new cyber-espionage group targeting its employees as a planned phishing test.

Published by Indian security firm Seqrite, the report claimed that a new suspected Russian APT group named NoisyBear was targeting Kazakhstan's oil and gas sector.

But in a statement to local media on Friday, the company said the screenshots were from a planned phishing training test the company's SOC ran back in May.

[ more on Risky Bulletin ]

Chrome 140 comes with new hardened cookies: Google has released version 140 of its Chrome browser this week, with support for a new security feature designed to protect server-set cookies from client-side tampering.

The new feature is a cookie prefix, a piece of text added before the names of a browser's cookie files.

Cookie prefixes are different from cookie headers and, in the words of security firm ERNW , are a lesser-known browser security feature that is rarely used by web developers.

[ more on Risky Bulletin ]