Cross-Platform Account Takeover: 4 Real-World Scenarios
Published 11/25/2024
Originally published by Abnormal Security.
Account takeover (ATO) is a well-known attack method that has been documented for years. However, a less common type of attack occurs when ATO is used as the initial attack vector to gain access to another account, this is known as cross-platform ATO. In this article, we’ll showcase four scenarios where cross-platform ATOs can occur, taken from discussions on cybercrime forums and networks.
1. Compromised Email Credentials
Email accounts often contain (or can provide) a trove of sensitive information, such as password reset links, two-factor authentication codes, and financial records. If an attacker gains access to your email, they can impersonate you, reset passwords on your other online accounts, and intercept security notifications—enabling them to compromise nearly any other owned account.
On a cybercrime forum, a user demonstrated how they gained access to an email account through a business email compromise (BEC) attack, which typically involves social engineering tactics like phishing or spear-phishing. They later discovered that the account was connected to a bank that had received over $61 million to date. This is a prime example of cross-platform ATO.
By compromising the email account, they were able to access the connected bank account. We can assume that anyone buying this access would then use it to infiltrate the bank and steal the money—likely using the email account to reset the password and/or as a way to intercept MFA codes. Implementing stronger security measures that can immediately detect compromised email accounts, in addition to using hardware security keys and time-based one-time passwords, can significantly reduce cross-platform ATOs that originate from email.
2. Hijacked GitHub Accounts
GitHub is an increasingly attractive target for attackers because it often contains business-sensitive information, like private corporate repositories, API keys, and insights into your overall technology stack.
If you take a look below, you will see that an attacker offered to sell access to GitHub accounts and their associated API keys, claiming that cloud infrastructure was within their reach. If a user purchases access to a GitHub account, there is indeed a high likelihood that the repositories could contain secrets, API keys, or even SSH keys that could be used to compromise infrastructure used by the organization.
From GitHub, the attacker can pivot in several ways to perform a cross-platform ATO. They can access private code repositories to exfiltrate intellectual property and sensitive data, which may include credentials for other accounts or services. Alternatively, they could launch further attacks by modifying source code, potentially affecting downstream applications or services that rely on the compromised GitHub repository.
3. Compromised AWS Credentials
Cloud infrastructure like Amazon Web Services (AWS) has become an important component of business operations, making cloud credentials a prime target for attackers looking to gain access into an organization. With AWS access, an attacker can spin up new resources, access sensitive data stored in S3 buckets or RDS databases, and even pivot to other connected services.
Looking at the screenshot below, a user offered corporate AWS access, with some accounts spending as much as $50,000 per month on infrastructure and operations. They stated that it's possible to ransom a company if the customer possesses the knowledge to navigate AWS; unfortunately, this is completely accurate.
It’s also important to note that users frequently share information on how to escalate privileges from compromised AWS accounts, going from simple AWS compromise to EC2 server access, S3 bucket access, and more.
If you take a look above you will find an example of text on a cybercrime forum where a rather detailed process is shared that explains how to go from basic AWS access to complete infrastructure takeover.
4. Stolen Slack Credentials
Slack has become a ubiquitous communication and collaboration tool for many organizations, and attackers recognize the value of compromising Slack accounts, as they can provide a gateway to sensitive corporate data and connections to other systems. In fact, this is exactly how EA Sports was compromised a few years—ultimately resulting in key sections of FIFA 2021 being released to the public.
In a thread on a cybercrime forum, one user claimed to have compromised a Slack account and compiled contact information for HR and finance teams, as well as received access to all company documents.
Although they were seeking assistance in monetizing this access, the reality is that they could easily use that insider knowledge to conduct cross-platform account takeover to another valuable application. They could social engineer a victim on Slack using techniques like pretexting or baiting or use insider knowledge obtained from chat logs and documents to create highly targeted phishing emails to other employees and gain access to their accounts.
Additionally, if the compromised account had Slack app integrations with appropriate permissions, the attacker could potentially gain access to other connected services, such as GitHub repositories, Jira tickets, or Google Drive documents.
Related Articles:
How the Alert Readiness Framework Supports Augmented Cybersecurity
Published: 11/25/2024
The Evolution of DevSecOps with AI
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024