Non-human identity (NHI) attacks are making waves in the cybersecurity landscape, with four high-profile incidents reported in the past few weeks alone. To help you stay on top of this threat vector, our research team provides insights on the latest incidents in this short article. Let’s get started.
Incident overview:
One of the largest incidents in recent years, hundreds of Snowflake instances have been breached by a financially motivated threat actor identified as UNC5537. Approximately 165 organizations have been affected.
Details:
The breaches primarily involved credentials obtained through infostealer malware on vulnerable servers or unprotected employee laptops. These credentials, often linked to service accounts without multi-factor authentication (MFA), were used to gain access to Snowflake instances and exfiltrate large amounts of data. The threat actor demanded ransom from breached organizations and, when unsuccessful, sold the data and credentials on dark web forums.
Astrix’s recommendations (in a nutshell):
Incident overview:
Attackers managed to steal the New York Times’ source code, hosted on GitHub, by exploiting a stolen GitHub token. This token was over-privileged, granting access to all repositories within the organization.
Details:
The token had a long expiry period and was likely poorly managed, potentially leaked through common mishaps such as being included in public content, left on a compromised endpoint, or misused by an ex-employee. This incident echoes a similar case with Mercedes-Benz, where a single NHI led to the theft of entire source code repositories.
Astrix’s recommendations (in a nutshell):
Incident overview:
HuggingFace, a platform offering machine learning as-a-service for building AI-powered applications, recently reported that an unauthorized party accessed their servers, stealing tokens and API keys from its Spaces platform.
Details:
The Spaces platform allows the creation of machine learning-powered applications and demos, requiring the use of secrets such as tokens and API keys. During the attack, these secrets were accessed by the unauthorized party. HuggingFace has urged customers to rotate all secrets stored in Spaces. The stolen tokens include HuggingFace’s own API tokens and other secrets necessary for AI application lifecycles, such as deploy keys and cloud credentials, which need to be rotated manually.
Astrix’s recommendations (in a nutshell):
Incident overview:
JetBrains recently disclosed a vulnerability in their GitHub Plugin, which is embedded in all JetBrains IntelliJ IDEs. This plugin facilitates seamless code management by allowing developers to pull and push code directly from the IDE using non-human identities (NHIs) such as OAuth apps or personal access tokens (PATs).
Details:
The vulnerability potentially allows third-party sites to access the NHI credentials granted to the plugin, enabling malicious actors to steal these credentials and gain unauthorized access to developers’ GitHub repositories. JetBrains has urged customers to revoke the plugin’s access by deleting associated PATs and revoking the OAuth app tokens.
Astrix’s recommendations (in a nutshell):
IntelliJ IDEA GitHub Plugin
.As NHIs continue to be largely unmonitored, these attacks are likely to increase in both number and impact. Effective management and security of NHIs are crucial to mitigating these threats. Astrix was purpose-built to secure this rising attack vector. To learn more, read our solution brief or book a live demo.
The post NHI attacks making waves: Insights on latest 4 incidents appeared first on Astrix Security.
*** This is a Security Bloggers Network syndicated blog from Astrix Security authored by Danielle Guetta. Read the original post at: https://astrix.security/nhi-attacks-making-waves-insights-on-latest-4-incidents/