SESSION ID: PART2-T09

Hacking the Cloud: Play-by-Play

Attack on GitHub, Okta, and
Salesforce
#RSAC

Brian Vecci
Field CTO
Varonis Systems, Inc.
 #RSAC

Disclaimer

Presentations are intended for educational purposes only and do not replace independent professional
judgment. Statements of fact and opinions expressed are those of the presenters individually and,
unless expressly stated to the contrary, are not the opinion or position of RSA Conference™ or any other
co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the
content, accuracy or completeness of the information presented.
Attendees should note that sessions may be audio- or video-recorded and may be published in various
media, including print, audio and video formats without further notice. The presentation template and
any media capture are subject to copyright protection.
© 2023 RSA Conference LLC or its affiliates. The RSA Conference logo and other trademarks are proprietary. All rights reserved.

2
 #RSAC

What you’ll see today

• How an attacker can:

– Use basic recon
– Exploit exposed secrets
– Establish persistence
– Pivot to a series of cloud applications
– Access and exfiltrate protected data
• What’s needed to quickly detect and resolve similar incidents

3
What the attacker sees

#RSAC
Scan for exposed tokens in GitHub
Copy the user token discovered during the scan
Get the account details associated with the token
List role assignments
Create a new backdoor user
Assign Super Admin role to backdoor user
Logon to Okta with Backdoor user and change app assignments
 #RSAC

What did we just see?

• Attacker found an open GitHub repo with secrets

• A dev was using their own credentials for an integration
• Attacker creates a new user in Okta
• Then assigns applications to that user using elevated permissions
Open all the apps to check access and start recon
Let’s use this access!

#RSAC
Access files in Box
No luck viewing accounts in Salesforce
Use new rights to view private GitHub repos
Validate missing entitlements to view accounts
Used misconfigured rights to elevate permissions
… It’s super effective!
Accounts are now accessible
Salesforce account data exfiltration
Make S3 bucket public
Download all the files from S3
Steal AWS database contents
So how do you catch this?

#RSAC
Combine multiple streams of metadata
Identify exposures
Validate the contents of the public repo
An unexpected user was created via API
Extremely powerful rights assigned to a new user
Impersonation is afoot
Dive into the events that triggered the alert
#RSAC
#RSAC
Attacker checking access and performing recon
#RSAC
#RSAC
#RSAC
Suspicious privilege escalation
Investigate excessive object access
#RSAC
Sensitive files in Salesforce were accessed
#RSAC
#RSAC
The exfiltration didn’t end with Salesforce
 #RSAC

Summing up

• Minor misconfiguration issues can lead to disaster

• Lateral movement is different in the cloud
• Combine metadata from multiple sources to find risk

48
 #RSAC

What to do in the next 6-12 months?

• Perform a risk assessment of configurations and API connections in

SaaS, IaaS, PaaS
• Purple team your cloud environment
• Ensure compliance controls cover your cloud(s)

49
Thank you

#RSAC