Schedule a demo

Exposed CRM Credentials Enable Threat Actors to Access Organizations’ Critical Infrastructure

  • 2:59 am

Summary

We have identified an increase in dark web discussions among threat actors, regarding CRM exploitation tactics and exposure of CRM credentials across code repositories such as Github and Bitbucket
 
Category: Vulnerability Intelligence Sub-Category: Exposed End-point Credentials Industry: Multiple Region: Global

Executive Summary

THREAT IMPACT MITIGATION
  • Increase in dark web chatter on exploiting CRMs to access organizations’ critical infra.
  • Exposure of CRM end-point secrets and credentials on code repositories.
  • Initial access to organizations’ critical infrastructure enables ransomware deployment and data exfiltration.
  • Access to individuals’ and CXOs’ PII and credentials.
  • Loss of revenue and reputation.
  • Real-time scanning and takedowns of code repos exposing CRM credentials.
  • Monitor underground intel on threat actor tactics related to CRM solutions like Zoho, Hubspot, Salesforce etc.
CloudSEK’s contextual AI digital risk platform XVigil has identified:
  • An increase in dark web discussions among threat actors, regarding CRM exploitation tactics
  • Wide-spread exposure of CRM credentials across code repositories such as Github and Bitbucket
The above threats, in conjunction, pose a significant threat to organizations that use CRM (Customer Relationship Management) solutions such as Salesforce, Zoho, Hubspot, etc.

Analysis

CRM Credentials Exposed on Github

XVigil’s Cyber Threat Monitor has identified several code repositories disclosing sensitive information and CRM secrets and credentials.
Code repositories exposing CRM credentials, identified by XVigil’s Cyber Threat Monitor
Code repositories exposing CRM credentials, identified by XVigil’s Cyber Threat Monitor
  The following example illustrates the code repository of a Salesforce DX guide for an organization’s development team. This repository discloses sensitive information, including an employee’s Salesforce credentials.
Salesforce DX Guide for the Development Team
Salesforce DX Guide for the Development Team
  This repository was exposing, in plaintext, the employee’s:
  • Salesforce username
  • Salesforce password
  • Consumer ID
  • Consumer Secret
Code repo file exposing plain text credentials and secrets
Code repo file exposing plain text credentials and secrets
 

Increase in Darkweb Discussions Regarding CRM Exploitation

XVigil has identified an increase in discussions, on cybercrime forums, regarding CRMSs. Here are some key examples:
  • Threat actors discussing CVE-2021-44077, a vulnerability in Zoho ManageEngine CRM software.
Discussion around CVE-2021-44077 vulnerability in Zoho
Discussion around CVE-2021-44077 vulnerability in Zoho
 
  • A threat actor detailing how logs from CRMs like Zoho, Sugarcrm, Hubspot, and Salesforce can be leveraged to gain access to the critical infrastructure of an organization. CRM logs are sold on various underground markets.
Discussion on obtaining CRM logs from corporates
Discussion on obtaining CRM logs from corporates
 

How Exposed CRM Secrets and Darkweb Discussion Enable Large-Scale Attacks

  • Attackers regularly use manual and automated scanners to monitor public code repositories like GitHub for secrets and source code leaks.
  • Actors use the credentials, in conjunction with vulnerabilities, exploits, and CRM logs available on cybercrime forums, to gain access to the organization’s critical infrastructure.
  • These sensitive details also enable them to move laterally across the organization, deploy ransomware, exfiltrate data, take over user accounts, and maintain persistence.
 

Impact & Mitigation

Over 2 million corporate secrets were detected on public GitHub repositories in 2020. These leaked secrets were leveraged to carry out major attacks on Starbucks, Equifax, and the United Nations.
Impact Mitigation
  • The leaked information could be used to gain initial access to the company’s infrastructure.
  • If the leaked data is not encrypted, it could enable account takeovers.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
  • Patch vulnerable and exploitable endpoints.
  • Do not store unencrypted secrets in .git repositories.
  • Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Scan repositories to identify exposed credentials and secrets.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References

Table of Contents

Try Digital Risk Protection Platform

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now