Non-human identity (NHI) attacks are making waves in the cybersecurity landscape, with four high-profile incidents reported in the past few weeks alone. To help you stay on top of this threat vector, our research team provides insights on the latest incidents in this short article. Let’s get started.

Incident 1: Snowflake Data Breach by UNC5537 (May 15, 2024)

Incident overview:

One of the largest incidents in recent years, hundreds of Snowflake instances have been breached by a financially motivated threat actor identified as UNC5537. Approximately 165 organizations have been affected.

Details:

The breaches primarily involved credentials obtained through infostealer malware on vulnerable servers or unprotected employee laptops. These credentials, often linked to service accounts without multi-factor authentication (MFA), were used to gain access to Snowflake instances and exfiltrate large amounts of data. The threat actor demanded ransom from breached organizations and, when unsuccessful, sold the data and credentials on dark web forums.

Astrix’s recommendations (in a nutshell):

• Enable MFA for all users.
• Convert service accounts to use key pair authentication or OAuth applications instead of static credentials.
• Monitor for any signs of compromise and respond promptly.

Incident 2: New York Times Source Code Theft (June 3, 2024)

Incident overview:

Attackers managed to steal the New York Times’ source code, hosted on GitHub, by exploiting a stolen GitHub token. This token was over-privileged, granting access to all repositories within the organization.

Details:

The token had a long expiry period and was likely poorly managed, potentially leaked through common mishaps such as being included in public content, left on a compromised endpoint, or misused by an ex-employee. This incident echoes a similar case with Mercedes-Benz, where a single NHI led to the theft of entire source code repositories.

Astrix’s recommendations (in a nutshell):

• Inventory all NHIs to ensure proper management.
• Implement least-privileged access policies.
• Maintain short expiry periods for tokens.
• Monitor for unusual behavior to detect potential misuse.

Incident 3: HuggingFace Spaces Platform Breach (June 8, 2024)

Incident overview:

HuggingFace, a platform offering machine learning as-a-service for building AI-powered applications, recently reported that an unauthorized party accessed their servers, stealing tokens and API keys from its Spaces platform.

Details:

The Spaces platform allows the creation of machine learning-powered applications and demos, requiring the use of secrets such as tokens and API keys. During the attack, these secrets were accessed by the unauthorized party. HuggingFace has urged customers to rotate all secrets stored in Spaces. The stolen tokens include HuggingFace’s own API tokens and other secrets necessary for AI application lifecycles, such as deploy keys and cloud credentials, which need to be rotated manually.

Astrix’s recommendations (in a nutshell):

• Rotate all secrets that were stored in HuggingFace Spaces.
• Switch to the new HuggingFace fine-grained tokens.
• Ensure any other secrets used in the AI application lifecycle are updated across the application infrastructure stack.

Incident 4: JetBrains GitHub Plugin Vulnerability (June 10, 2024)

Incident overview:

JetBrains recently disclosed a vulnerability in their GitHub Plugin, which is embedded in all JetBrains IntelliJ IDEs. This plugin facilitates seamless code management by allowing developers to pull and push code directly from the IDE using non-human identities (NHIs) such as OAuth apps or personal access tokens (PATs).

Details:

The vulnerability potentially allows third-party sites to access the NHI credentials granted to the plugin, enabling malicious actors to steal these credentials and gain unauthorized access to developers’ GitHub repositories. JetBrains has urged customers to revoke the plugin’s access by deleting associated PATs and revoking the OAuth app tokens.

Astrix’s recommendations (in a nutshell):

• Identify affected integrations by filtering for the User Agent associated with the plugin: IntelliJ IDEA GitHub Plugin.
• Exercise caution when deleting PATs, as they may be used across multiple integrations and workloads.
• Incorrect deletion could disrupt critical components.
• Act quickly, as PATs linked to the JetBrains plugin often have high permissions to users’ GitHub repositories.

The rising threat of NHI attacks

As NHIs continue to be largely unmonitored, these attacks are likely to increase in both number and impact. Effective management and security of NHIs are crucial to mitigating these threats. Astrix was purpose-built to secure this rising attack vector. To learn more, read our solution brief or book a live demo.

The post NHI attacks making waves: Insights on latest 4 incidents appeared first on Astrix Security.

*** This is a Security Bloggers Network syndicated blog from Astrix Security authored by Danielle Guetta. Read the original post at: https://astrix.security/nhi-attacks-making-waves-insights-on-latest-4-incidents/