Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

NHI Attacks Making Waves: Insights on Latest 5 Incidents

Published 07/19/2024

NHI Attacks Making Waves: Insights on Latest 5 Incidents

Originally published by Astrix.


Non-human identity (NHI) attacks are making waves in the cybersecurity landscape, with five high-profile incidents reported in the past few weeks alone. To help you stay on top of this threat vector, our research team provides insights on the latest incidents in this short article. Let’s get started.


Incident 1: Snowflake data breach by UNC5537 (May 15, 2024)

Incident overview:

One of the largest incidents in recent years, hundreds of Snowflake instances have been breached by a financially motivated threat actor identified as UNC5537. Approximately 165 organizations have been affected.

Details:

The breach primarily involved credentials obtained through infostealer malware on vulnerable servers or unprotected employee laptops. These credentials, often linked to service accounts without multi-factor authentication (MFA), were used to gain access to Snowflake instances and exfiltrate large amounts of data. The threat actor demanded ransom from breached organizations and, when unsuccessful, sold the data and credentials on dark web forums. This breach provides an important reminder that in addition to user accounts, Snowflake environments are rich in service accounts. These accounts are not protected by MFA by default, which increase their vulnerability to exploits. This emphasizes the need to inventory them as well as have runtime anomaly detection capabilities.

Astrix’s recommendations (in a nutshell):

  • Enable MFA for all users.
  • Convert service accounts to use key pair authentication or OAuth applications instead of static credentials.
  • Employ behavioral monitoring to detect suspicious activity.


Incident 2: New York Times source code theft (June 3, 2024)

Incident overview:

Attackers managed to steal the New York Times’ source code, hosted on GitHub, by exploiting a stolen GitHub token. This token was over-privileged, granting access to all repositories within the organization.

Details:

The token had a long expiry period and was likely poorly managed, potentially leaked through common mishaps such as being included in public content, left on a compromised endpoint, or misused by an ex-employee. This incident echoes a similar case with Mercedes-Benz, where a single NHI led to the theft of entire source code repositories.

Astrix’s recommendations (in a nutshell):

  • Inventory all NHIs to ensure proper management.
  • Implement least-privileged access policies.
  • Maintain short expiry periods for tokens.
  • Monitor for unusual behavior to detect potential misuse.


Incident 3: HuggingFace spaces platform breach (June 8, 2024)

Incident overview:

HuggingFace, a platform offering machine learning as-a-service for building AI-powered applications, recently reported that an unauthorized party accessed their servers, stealing tokens and API keys from its Spaces platform.

Details:

The Spaces platform allows the creation of machine learning-powered applications and demos, requiring the use of secrets such as tokens and API keys. During the attack, these secrets were accessed by the unauthorized party. HuggingFace has urged customers to rotate all secrets stored in Spaces. The stolen tokens include HuggingFace’s own API tokens and other secrets necessary for AI application lifecycles, such as deploy keys and cloud credentials, which need to be rotated manually.

Astrix’s recommendations (in a nutshell):

  • Rotate all secrets that were stored in HuggingFace Spaces.
  • Switch to the new HuggingFace fine-grained tokens.
  • Ensure any other secrets used in the AI application lifecycle are updated across the application infrastructure stack.


Incident 4: JetBrains GitHub plugin vulnerability (June 10, 2024)

Incident overview:

JetBrains recently disclosed a vulnerability in their GitHub Plugin, which is embedded in all JetBrains IntelliJ IDEs. This plugin facilitates seamless code management by allowing developers to pull and push code directly from the IDE using non-human identities (NHIs) such as OAuth apps or personal access tokens (PATs).

Details:

The vulnerability potentially allows third-party sites to access the NHI credentials granted to the plugin, enabling malicious actors to steal these credentials and gain unauthorized access to developers’ GitHub repositories. JetBrains has urged customers to revoke the plugin’s access by deleting associated PATs and revoking the OAuth app tokens.

Astrix’s recommendations (in a nutshell):

  • Identify affected integrations by filtering for the User Agent associated with the plugin: IntelliJ IDEA GitHub Plugin.
  • Exercise caution when deleting PATs, as they may be used across multiple integrations and workloads.
  • Incorrect deletion could disrupt critical components.
  • Act quickly, as PATs linked to the JetBrains plugin often have high permissions to users’ GitHub repositories.


Incident 5: Gitloker malicious OAuth apps (June 10, 2024)

Incident overview:

In a recent sophisticated attack, a threat actor known as Gitloker targeted GitHub users by exploiting malicious OAuth apps. This breach has affected numerous users, leading to significant data loss and ransom demands.

Details:

The attack involved tagging users in GitHub issues, which triggered legitimate-looking emails from [email protected]. These emails contained fake security alerts or job offers, directing users to an attacker-controlled website. On this site, users were prompted to authorize access to a GitHub OAuth app, falsely presented as an official GitHub app. Once approved, the attacker gained full access to the users’ repositories. Gitloker utilized this access to download and then wipe the repositories, holding the stolen code for ransom in an extortion campaign.

This attack highlights the evolving tactics of threat actors in exploiting OAuth apps. Once consent is given, attackers can bypass the need for active user involvement, maintaining persistent access and stealing data at will. The use of GitHub Issues to deliver malicious links and impersonate GitHub demonstrates their growing sophistication.

Astrix’s recommendations (in a nutshell):

  • Closely monitor OAuth app authorizations and implement protective measures such as requiring approval for new apps.
  • Educate users on the risks of consenting to unfamiliar apps.
  • Employ behavioral monitoring to detect suspicious activity.
  • Regularly review and update security protocols to address emerging threats.