Top 5 non-human identity attacks of 2023

Tal Skverer January 2, 2024

2024 is here, and before we delve into new year resolutions and looking to the future, we wanted to take a moment and look back at some of the most high profile non-human identity attacks in 2023, rank the top 5, and see what we can learn from them. For that, our research team set the ranking criteria, analyzed each attack accordingly, and provided their insights on the lessons that we can learn from each attack. 

But first, what is a non-human identity attack? 

Threat actors, like all humans, look for the path of least resistance, and it seems that in 2023 this path was non-user access credentials (API keys, tokens, service accounts and secrets). These programmable access credentials are used to connect apps and resources to other cloud services, and what makes them a true hacker’s dream is that they have no security measures like user credentials do (MFA, SSO or other IAM policies). To make matters worse, these credentials are also often over-permissive, ungoverned, and never-revoked.

How we ranked the top 5 attacks

Our research team at Astrix sat down to discuss the past year’s non-human identity attacks, and ranked the top 5 according to three key criteria: 

  • Impact: this criteria takes into consideration the severity of the consequences of the breach as well as the scale. How sensitive the data stolen, how many organizations were impacted and app downtime are all part of this criteria.
  • Cost of mitigation: this criteria takes into consideration what was the cost in man hours, cost of app downtime and other collateral expenses that the breach cost the victims. 
  • Ingenuity: this criteria is a little different than the previous ones, and looks at how novel or sophisticated the attack is. 

Now that we’re all on the same page, let’s get to the rankings.

Drum roll please… The top 5 non-human identity attacks of 2023

Number 5: Sumologic (Nov 2023)

What happened: Sumologic discovered that a compromised credential was used to access the company’s AWS account. They then rotated the exposed AWS credentials, locked down potentially affected infrastructure, and reported they didn’t detect access to customer’s data. Nonetheless, the company still suggested that customers rotate all Sumologic API access keys immediately – which brings us to why it is still in the top 5, although it wasn’t necessarily a successful breach.  

Why number 5: This incident wins the fifth place due to extremely high cost of mitigation. Sumologic’s initial response urged customers to rotate all 3rd-party credentials given to the company. Since a typical Sumologic environment involves integration with dozens of different platforms, each requiring different processes and credentials, rotating all of them is an insurmountable task for the average organization.

What we can learn from it: As evident from Sumologic’s reaction to this incident, even when a breach is theoretically contained, response efforts can still be extremely costly. This is because companies take very strong measures to protect even potentially-compromised access. Being able to continuously inventory non-human access and monitor behavior is crucial to minimizing mitigation costs and the potential impact of such incidents. 

Number 4: Microsoft SAS Key (September 2023)

What happened: A SAS token that was published by Microsoft’s AI researchers actually granted full access to the entire Storage account it was created on, leading to a leak of over 38TB of extremely sensitive information. These permissions were exposed to attackers for over 2 years.

Why number 4: This breach wins the fourth place due to very high impact. The SAS token exposed an Azure Storage account which contained very sensitive data, from Microsoft employee’s personal chats to internal documents and AI-related networks. The token also allowed write access, which could have enabled attackers to inject malicious content into files that are regularly accessed by unsuspecting users.

What we can learn from it: Even the largest companies are subject to secret leakage exploits. Even in cases where the secret is supposed to be public, extreme precaution should be taken to ensure that it is not exposed or exploited

Number 3: Okta (October 2023) 

What happened: Attackers used a stolen service account to access Okta’s support case management system. This allowed the attackers to view files uploaded by all Okta customers as part of their support cases. These files normally include personal information, details and, most importantly, credentials and session tokens.

Why number 3:  This attack really hits the mark on all three criteria. In terms of cost of mitigation, it’s not low at all. While upon detection Okta quickly remediated the vulnerable service account, it took them over a month to do so. Meanwhile, the attackers accessed sensitive data of many of Okta’s customers, who needed to figure out which credentials could have possibly been leaked and rotate them.

In the impact arena, this attack scores high. Extremely high-profile Okta customers were impacted in this breach, such as BeyondTrust, 1Password and Cloudflare.

And lastly, the attack also scores pretty high on ingenuity. As it turned out, the attackers managed to compromise an Okta employee’s machine, and since using the employee’s credentials would have exposed the attack quite quickly, the threat actors opted to search for other ways to elevate their permissions. This landed them on the service account’s credentials, which were saved locally on the machine.

What we can learn from it: Service accounts are an extremely common type of non-human access. They are also very lucrative for attackers since most if not all security measures that apply to user access (like MFA, SSO, CASB etc), don’t apply to service accounts. This means that security has to employ least-privilege permissions and dynamic monitoring when it comes to service accounts.

Number 2: CircleCI (January 2023) 

What happened: An employees’ computer that was compromised by malware, allowed threat actors to access and steal CircleCI session tokens, which allow the same access as the account owner even when the accounts are protected with MFA. Since the engineering employee had privileges to generate production access tokens as part of their regular duties, the threat actors were able to escalate privileges to access and exfiltrate data from customer environment variables, tokens, and keys – all without CircleCI’s knowledge.

Why number 2:  This breach was one of the most talked about supply chain attacks at the time, and for a good reason. In the cost arena, it scores very high. The reason is a bit technical but worth explaining: when installing CircleCI, it creates a different non-human access credential per monitored repository. Since neither CircleCI nor Github offer a designated place to monitor these types of accesses, customers affected by this breach had to manually go over repositories and rotate the relevant credentials. This task is so difficult that until this day we’re seeing active, compromised, CircleCI-related credentials in Github environments we monitor.

On the impact side, this breach also scores very high as a full-fledged supply chain attack. CircleCI is the biggest productivity tool for CICD, and since the access credentials that were compromised allowed access to customers’ environments, the attackers were able to reach their GitHub repositories that contain sensitive code, intellectual property, and secrets.

What we can learn from it: Supply chain attacks are one of the most prominent types of attacks, and remediating them is a difficult process since non-human identities aren’t easy to manage and secure. This is why it is crucial to have an automatic tool that can continuously inventory, monitor and analyze all non-human access, and allow security teams to both detect suspicious behavior and quickly find all the credentials that require rotation or removal. 

Unlucky Number 1: Microsoft365 Forged Access Token (July 2023) 

What happened: An inactive master signing key was stolen from a compromised Microsoft’s employee machine, and was used to sign and create valid email access tokens. These tokens were erroneously accepted by the Azure AD cloud system, and consequently by its Outlook Exchange server. This allowed the attackers access data of organizations who used Microsoft’s Azure Active Directory and Office 365 which includes email correspondence, files, chats, etc.

Why number 1: As you would expect from the first place, this breach hits the mark on all three parameters. In terms of cost of mitigation, it scores some solid points. Although Microsoft invalidated the signing key and the tokens that were generated using the stolen key couldn’t be used any more, affected customers still had to invest substantial resources to clear their environment from potential threats. This is because attackers could have potentially utilized their access to achieve hidden and persistent access, combined with the fact that Microsoft only kept partial activity logs.

On the impact side, the attack scores very high. Every single Microsoft customer could have been affected by this breach, and have their most sensitive data accessed by attackers. In this case, the main targets were government organizations across the US who had their emails stolen. Needless to say, this ranks amongst the highest impact in terms of the data stolen, as it could have affected every US citizen.

And lastly, when it comes to ingenuity, it scores the highest of all the breaches in this list. The threat actors in this attack were identified to be associated with the Storm-0558 group, which is actually known for its ingenuity – from phishing through OAuth apps, to token abuse and token generation. In this case, stealing and abusing such an important key is no small feat and requires vast knowledge in authentication methods, logging capabilities and API intricacies. 

What we can learn from it: The move from on-premises servers for authentication, email and storage to cloud-native solutions, has swept the world’s companies in droves. This includes even traditionally old-fashioned organizations, like government arms. However, as we all know by now, it doesn’t come without a risk. Having to essentially put your trust in the cloud suppliers to keep your data safe exposes companies and organizations to more attack vectors, and non-human access is becoming a favorite for threat actors. 

2024 is the year of non-human identity security 

Non-human access is the direct result of cloud adoption and automation – both welcomed trends contributing to growth and efficiency, and ones that should and will continue on in 2024 and beyond. However, these trends also brought organizations to a state where there are 10,000 non-human connections for every 1000 employees, most of them ungoverned – practically causing the attacks we covered here. 

For security to become an enabler of automation and agility, it is no longer enough to secure human access. The way we see it, a good new year resolution for 2024 would be a solid and structured approach for securing non-human identities and their access credentials, to ensure core systems and data are protected while the business reaps the benefits of connectivity and automation. 

Happy new year!  

Learn more

The Service Accounts Guide Part 2: Challenges, Compliance and Best Practices

The Service Accounts Guide Part 2: Challenges, Compliance and Best Practices

The Service Accounts Guide Part 1: Origin, Types, Pitfalls and Fixes

The Service Accounts Guide Part 1: Origin, Types, Pitfalls and Fixes

Detect and Rotate Exposed Secrets with Astrix

Detect and Rotate Exposed Secrets with Astrix