Exposed CRM Credentials Enable Threat Actors to Access Organizations’ Critical Infrastructure

Originally published at: https://cloudsek.com/threatintelligence/exposed-crm-credentials-enable-threat-actors-to-access-organizations-critical-infrastructure/

 

Category:

Vulnerability Intelligence

Sub-Category:

Exposed End-point Credentials

Industry:

Multiple

Region:

Global

Executive Summary

THREAT IMPACT MITIGATION
  • Increase in dark web chatter on exploiting CRMs to access organizations’ critical infra.
  • Exposure of CRM end-point secrets and credentials on code repositories.
  • Initial access to organizations’ critical infrastructure enables ransomware deployment and data exfiltration.
  • Access to individuals’ and CXOs’ PII and credentials.
  • Loss of revenue and reputation.
  • Real-time scanning and takedowns of code repos exposing CRM credentials.
  • Monitor underground intel on threat actor tactics related to CRM solutions like Zoho, Hubspot, Salesforce etc.

CloudSEK’s contextual AI digital risk platform XVigil has identified:

  • An increase in dark web discussions among threat actors, regarding CRM exploitation tactics
  • Wide-spread exposure of CRM credentials across code repositories such as Github and Bitbucket

The above threats, in conjunction, pose a significant threat to organizations that use CRM (Customer Relationship Management) solutions such as Salesforce, Zoho, Hubspot, etc.

Analysis

CRM Credentials Exposed on Github

XVigil’s Cyber Threat Monitor has identified several code repositories disclosing sensitive information and CRM secrets and credentials.

Code repositories exposing CRM credentials, identified by XVigil’s Cyber Threat Monitor

 

The following example illustrates the code repository of a Salesforce DX guide for an organization’s development team. This repository discloses sensitive information, including an employee’s Salesforce credentials.

Salesforce DX Guide for the Development Team

 

This repository was exposing, in plaintext, the employee’s:

  • Salesforce username
  • Salesforce password
  • Consumer ID
  • Consumer Secret
Code repo file exposing plain text credentials and secrets

 

Increase in Darkweb Discussions Regarding CRM Exploitation

XVigil has identified an increase in discussions, on cybercrime forums, regarding CRMSs. Here are some key examples:

  • Threat actors discussing CVE-2021-44077, a vulnerability in Zoho ManageEngine CRM software.
Discussion around CVE-2021-44077 vulnerability in Zoho

 

  • A threat actor detailing how logs from CRMs like Zoho, Sugarcrm, Hubspot, and Salesforce can be leveraged to gain access to the critical infrastructure of an organization. CRM logs are sold on various underground markets.

Discussion on obtaining CRM logs from corporates

 

How Exposed CRM Secrets and Darkweb Discussion Enable Large-Scale Attacks

  • Attackers regularly use manual and automated scanners to monitor public code repositories like GitHub for secrets and source code leaks.
  • Actors use the credentials, in conjunction with vulnerabilities, exploits, and CRM logs available on cybercrime forums, to gain access to the organization’s critical infrastructure.
  • These sensitive details also enable them to move laterally across the organization, deploy ransomware, exfiltrate data, take over user accounts, and maintain persistence.

 

Impact & Mitigation

Over 2 million corporate secrets were detected on public GitHub repositories in 2020. These leaked secrets were leveraged to carry out major attacks on Starbucks, Equifax, and the United Nations.

Impact Mitigation
  • The leaked information could be used to gain initial access to the company’s infrastructure.
  • If the leaked data is not encrypted, it could enable account takeovers.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
  • Patch vulnerable and exploitable endpoints.
  • Do not store unencrypted secrets in .git repositories.
  • Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Scan repositories to identify exposed credentials and secrets.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References