2023 saw its fair share of cyber attacks, however there was one attack vector that proved to be more prominent than others – human access. With 11 high-profile attacks in 13 months and an ever-growing uncontrolled attack surface, non-human identities are the new perimeter, and 2023 is only the beginning.
Why human inaccessibility is a cybercriminal’s paradise
People are always looking for the easiest way to get what they want, and this goes for cybercrime as well. Threat actors are looking for the path of least resistance, and it seems that in 2023 this path is not user access credentials (API keys, tokens, service accounts and secrets) .
“50% of active access tokens connecting Salesforce and third-party apps are unused. On GitHub and GCP the numbers reach 33%.
These non-user access credentials are used to connect apps and resources to other cloud services. What makes them a real hacker’s nightmare is that they do not have security measures such as user credentials (MFA, SSO or other IAM policies), they are often over-authorized, unmanaged, and there is no recovery. In fact, 50% of active access tokens connecting Salesforce and third-party apps are unused. On GitHub and GCP the numbers reach 33%.*
So how do cybercriminals exploit these non-human access credentials? To understand the attack paths, we must first understand the types of non-human access and identities. In general, there are two types of non-human access – external and internal.
External non-human access is enabled by employees connecting third-party tools and services to core business and engineering environments such as Salesforce, Microsoft365, Slack, GitHub and AWS – to streamline processes and increase agility. These connections are made through API keys, service accounts, OAuth tokens and webhooks, owned by the app or third-party service (the non-human identity). With the growing trend of bottom-up software adoption and freemium cloud services, many of these connections are often made by different employees without any security management and, even worse, from unvetted sources. . Astrix research shows that 90% of apps connected to the Google Workspace environment are non-marketplace apps – meaning they haven’t been vetted by an official app store. On Slack, the numbers reach 77%, while on Github they reach 50%.*
“74% of Personal Access Tokens in the GitHub environment have no expiration.”
Internal non-human access is similar, however, it is created with internal access credentials – also known as ‘secret’. R&D teams often create secrets that connect different resources and services. These secrets are often scattered in many secret managers (vaults), without any visibility for the security team of where they are, if they are exposed, what they are allowed to access, and if they misconfiguration. In fact, 74% of Personal Access Tokens in the GitHub environment have no expiration. Similarly, 59% of webhooks on GitHub are misconfigured – meaning they are unencrypted and unassigned.*
High-profile attacks in 2023 that take advantage of non-human access
This threat is anything but theoretical. 2023 saw some major brands fall victim to non-human access exploits, with thousands of customers affected. In such attacks, attackers take advantage of exposed or stolen access credentials to enter the most sensitive core systems of organizations, and in the case of external access – reach the environments of their customers (supply chain attacks). Some of these high-profile attacks include:
- Okta (October 2023): Attackers used a leaked service account to access Okta’s support case management system. This allowed attackers to view files uploaded by many Okta customers as part of new support cases.
- GitHub Dependable (September 2023): Hackers steal the GitHub Personal Access Token (PAT). These tokens are then used to make unauthorized commits as Dependabot to public and private GitHub repositories.
- Microsoft SAS Key (September 2023): A SAS token published by Microsoft’s AI researchers actually gave full access to the entire Storage account it created, leading to a leak of over 38TB which is highly sensitive information. These permissions are available for attackers in the course of more than 2 years (!).
- Slack GitHub Repositories (January 2023): Threat actors gained access to Slack’s externally hosted GitHub repository through a “limited” number of stolen Slack employee tokens. From there, they were able to download private code repositories.
- CircleCI (January 2023): An engineering employee’s computer was compromised by malware that bypassed their antivirus solution. A compromised machine allows threat actors to access and steal session tokens. Stolen session tokens give threat actors the same access as the account owner, even if the accounts are protected by two-factor authentication.
The impact of access to GenAI
“32% of GenAI apps connected to the Google Workspace environment have very broad access permissions (read, write, delete).”
As one might expect, the widespread adoption of GenAI tools and services exacerbates the issue of non-human access. GenAI is gaining huge popularity in 2023, and it is likely to only grow. With ChatGPT has become the fastest growing app in historyand AI-powered apps downloaded 1506% more than last year, the security risks of using and connecting often untested GenAI apps to core business systems are already causing sleepless nights for security leaders. Figures from Astrix Research provide another testament to this attack: 32% of GenAI apps connected to the Google Workspace environment have very broad access permissions (read, write, delete).*
GenAI access risks are hitting the entire industry in waves. In a recent report named “Emerging Tech: Top 4 GenAI Security Risks“, Gartner explains the risks that come with the widespread use of GenAI tools and technologies. According to the report, “The use of generative AI (GenAI) large language models (LLMs) and interfaces to chat, especially connected to third-party solutions outside the organization’s firewall, represents an expansion of surface attacks and threats to the security of businesses.”
Security should be an enabler
Since non-human access is the direct result of the adoption of the cloud and automation – both welcome trends that contribute to growth and efficiency, it must be supported by security. With security leaders constantly striving to be enablers instead of blockers, a method of securing non-human identities and their access credentials is no longer an option.
Improperly securing non-human access, both external and internal, greatly increases the likelihood of supply chain attacks, data breaches, and compliance violations. Security policies, as well as automated tools to implement them, are a must for those looking to secure this vulnerable attack surface while allowing the business to reap the benefits of automation and hyper- connectivity.
*According to Astrix Research data, collected from business environments of organizations with 1000-10,000 employees