7 OAuth attacks in 10 months: The new generation of supply chain attacks

The new generation of supply chain attacks have been rising in recent years. In such attacks, hackers abuse third-party app connections as a means of accessing core business systems. However, many conversations about supply chain security risks focus on vulnerabilities in software application components  themselves, or in their human-to-app connections. They overlook a critical area of supply chain security risk: third-party (application/NPE) integrations.

The threat is real: A new generation of supply chain attacks

Security issues related to application integrations are not theoretical. A variety of recent incidents highlight the risk posed by insecure third-party app integrations:

• GitHub Personal Access Token (December 2022): On December 6, 2022, repositories from GitHub’s atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account. The malicious actor then used the PATs to read these repositories, which contained sensitive information.
• Slack GitHub Repositories (January 2023): In this incident, threat actors gained access to Slack’s externally hosted GitHub repositories via a “limited” number of stolen Slack employee tokens. From there, they were able to download private code repositories.
• CircleCI (January 2023): In this attack, engineering employees’ computer, which was compromised by malware that bypassed their antivirus solution. The compromised machine allowed the threat actors to access and steal session tokens. Stolen session tokens give threat actors the same access as the account owner, even when the accounts are protected with two factor authentication.
• Microsoft OAuth Phishing Attack (December 2022): Malicious OAuth apps were used to steal customers’ emails. The threat actors then used these accounts to register verified OAuth apps in Azure AD for consent phishing attacks targeting corporate users in the UK and Ireland.
• Microsoft OAuth (September 2022): By exploiting OAuth integrations, malicious applications were deployed on compromised cloud tenants. From there, they modified Exchange Online settings to spread spam.
• GitHub (April 2022): Stolen OAuth tokens allowed attackers to breach dozens of GitHub accounts, using Travis CI and Heroku as backdoors.
• Mailchimp (April 2022): Hackers misused API keys to breach hundreds of Mailchimp accounts.
• Codecov (April 2021): One attack path the attackers took was to steal git access tokens of  17,000 companies from Codecov and use them to access private Git repositories and compromise sensitive data (see an example of this attack against Twilio company in image A below). 
• WayDev (July 2020): Hackers stole OAuth tokens from Git analytics firm Waydev to execute a supply chain breach.

This list could go on. Other big-name companies affected by attacks wherein hackers abused identities or access keys include Slack, Microsoft and Google.

What is causing the spike in supply chain attacks?

What these attacks shared in common was that they allowed hackers to breach assets by exploiting integration and authentication tools (like OAuth or API keys) that businesses use to connect to third-party software. These differ from “classic” supply chain attacks, like the SolarWinds breach, in which attackers inserted malicious code directly into the compromised product.

With bottom-up software adoption and the adoption of low-code and no-code platforms, employees are now freely connecting third-party apps to their organization’s core systems to increase their productivity.

Here are 2 examples:

• A marketing operations manager trialing a new SaaS prospecting tool – and integrating it directly with your Salesforce instance to sync leads automatically.
• An engineering team lead using a new cloud-based productivity tool that relies on API access to your GitHub repository. It can be using other shadow integration methods like SSH keys, service accounts, webhooks, and more. 

In these cases, it’s difficult for security leaders to have visibility and control. This is because bottom up software adoption and the increased usage of LCNC tools provide the freedom to employees to create integrations without the proper approval of IT and security teams.

OAuth attacks frequency and intensity will increase

Unfortunately, the size and scale of the problem is only worsening. Here are 3 of the major reasons for this:

1. Business app environment – With core systems like Slack offering at least 2,000 integrations in their marketplace alone, ‘non-technical’ employees can freely connect third-party apps to these core systems. These ‘non-technical’ employees usually lack cybersecurity awareness, and therefore may unknowingly connect untrusted, over-privileged, and later unused third-party apps to their accounts. 
2. Engineering environment – IT teams, DevOps and others are increasingly providing API-based access to third-party applications from core systems like GitHub or Snowflake. These shadow integrations (created using  API keys, service accounts, webhooks, OAuth tokens, or even just SSH keys) create another whole ecosystem of supply chain dependencies. 
3. Low-code/no-code platforms – Tools like Zapier, Workato and Microsoft Power Apps are allowing “citizen developers” to integrate and automate processes with a flip of a switch. The ease with which these tools enable anyone to create advanced integrations between critical systems and third-party apps amplifies the web of tangled app integrations even more. In fact, the threat posed by these platforms is so great that analyst firm Forrester believes we will see a major breach in 2023. 

Why security solutions fall short

If you look at how third-party app integrations typically work, and the level of visibility that businesses have into them, it’s not hard to understand why hackers would focus on exploiting supply chains. We live in a world of “extended enterprises,” meaning that organizations rely heavily on third-party app integrations. For example, the average enterprise employs about 1400 cloud-based apps, generating even more integrations.

And simply keeping track of all of these integrations is a huge task. User Access Management solutions (such as Okta, Auth0, and Cisco Duo) and Cloud Access Security Broker (CASB) platforms focus solely on securing user credentials and user-to-application connections. They do not monitor and govern app-to-app connections and ensure core systems are securely connected to third party cloud services.

API keys, Oauth token, webhooks and any other programmable access keys are powerful credentials and should be protected as vigorously as user passwords. Leaking an API key can be more consequential than leaking a username and password login since logins are often protected by two-factor authentication nowadays, whereas API keys are not. 

The Astrix approach to supply chain security

By automatically creating an inventory of all app-to-app connections that exist within your IT assets, then detecting over-privileged, unnecessary or malicious integrations, you can find and mitigate supply chain risks related to the way apps are integrated. And you can do it without disrupting the ability of your business users to deploy the integrations they need to remain productive.

At Astrix, we’ve built a solution that does just that. Using an agentless approach, we provide comprehensive visibility into integrations across all SaaS, PaaS and IaaS environments. We allow businesses to identify their integrations, detect risks, remediate gaps and manage the complete integration lifecycle to prevent new risks from arising.

This means that businesses can take full advantage of the power of app-to-app automation and integration without compromising on security.

Contact us to learn more about how Astrix can help protect all layers of your supply chain.