| Category:
Vulnerability Intelligence |
Sub-Category:
Exposed End-point Credentials |
Industry:
Multiple |
Region:
Global |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Increase in dark web chatter on exploiting CRMs to access organizations’ critical infra.
- Exposure of CRM end-point secrets and credentials on code repositories.
|
- Initial access to organizations’ critical infrastructure enables ransomware deployment and data exfiltration.
- Access to individuals’ and CXOs’ PII and credentials.
- Loss of revenue and reputation.
|
- Real-time scanning and takedowns of code repos exposing CRM credentials.
- Monitor underground intel on threat actor tactics related to CRM solutions like Zoho, Hubspot, Salesforce etc.
|
CloudSEK’s contextual AI digital risk platform
XVigil has identified:
- An increase in dark web discussions among threat actors, regarding CRM exploitation tactics
- Wide-spread exposure of CRM credentials across code repositories such as Github and Bitbucket
The above threats, in conjunction, pose a significant threat to organizations that use CRM (Customer Relationship Management) solutions such as Salesforce, Zoho, Hubspot, etc.
Analysis
CRM Credentials Exposed on Github
XVigil’s Cyber Threat Monitor has identified several code repositories disclosing sensitive information and CRM secrets and credentials.
[caption id="attachment_19401" align="alignnone" width="1280"]
Code repositories exposing CRM credentials, identified by XVigil’s Cyber Threat Monitor[/caption]
The following example illustrates the code repository of a Salesforce DX guide for an organization’s development team. This repository discloses sensitive information, including an employee’s Salesforce credentials.
[caption id="attachment_19402" align="alignnone" width="1114"]
Salesforce DX Guide for the Development Team[/caption]
This repository was exposing, in plaintext, the employee’s:
- Salesforce username
- Salesforce password
- Consumer ID
- Consumer Secret
[caption id="attachment_19403" align="alignnone" width="1280"]
Code repo file exposing plain text credentials and secrets[/caption]
Increase in Darkweb Discussions Regarding CRM Exploitation
XVigil has identified an increase in discussions, on cybercrime forums, regarding CRMSs. Here are some key examples:
- Threat actors discussing CVE-2021-44077, a vulnerability in Zoho ManageEngine CRM software.
[caption id="attachment_19404" align="alignnone" width="1853"]
Discussion around CVE-2021-44077 vulnerability in Zoho[/caption]
- A threat actor detailing how logs from CRMs like Zoho, Sugarcrm, Hubspot, and Salesforce can be leveraged to gain access to the critical infrastructure of an organization. CRM logs are sold on various underground markets.
[caption id="attachment_19406" align="alignnone" width="1558"]
Discussion on obtaining CRM logs from corporates[/caption]
How Exposed CRM Secrets and Darkweb Discussion Enable Large-Scale Attacks
- Attackers regularly use manual and automated scanners to monitor public code repositories like GitHub for secrets and source code leaks.
- Actors use the credentials, in conjunction with vulnerabilities, exploits, and CRM logs available on cybercrime forums, to gain access to the organization’s critical infrastructure.
- These sensitive details also enable them to move laterally across the organization, deploy ransomware, exfiltrate data, take over user accounts, and maintain persistence.
Impact & Mitigation
Over 2 million corporate secrets were detected on public GitHub repositories in 2020. These leaked secrets were leveraged to carry out major attacks on Starbucks, Equifax, and the United Nations.
| Impact |
Mitigation |
- The leaked information could be used to gain initial access to the company’s infrastructure.
- If the leaked data is not encrypted, it could enable account takeovers.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
|
- Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
- Patch vulnerable and exploitable endpoints.
- Do not store unencrypted secrets in .git repositories.
- Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Scan repositories to identify exposed credentials and secrets.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
|
References
