Professional Documents
Culture Documents
2023 USA23 PART2 T09 01 Hacking The Cloud Play by Play Attack On GitHub, Okta, and Salesforce 1682536782480001nRfR 2
2023 USA23 PART2 T09 01 Hacking The Cloud Play by Play Attack On GitHub, Okta, and Salesforce 1682536782480001nRfR 2
2023 USA23 PART2 T09 01 Hacking The Cloud Play by Play Attack On GitHub, Okta, and Salesforce 1682536782480001nRfR 2
Brian Vecci
Field CTO
Varonis Systems, Inc.
#RSAC
Disclaimer
Presentations are intended for educational purposes only and do not replace independent professional
judgment. Statements of fact and opinions expressed are those of the presenters individually and,
unless expressly stated to the contrary, are not the opinion or position of RSA Conference™ or any other
co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the
content, accuracy or completeness of the information presented.
Attendees should note that sessions may be audio- or video-recorded and may be published in various
media, including print, audio and video formats without further notice. The presentation template and
any media capture are subject to copyright protection.
© 2023 RSA Conference LLC or its affiliates. The RSA Conference logo and other trademarks are proprietary. All rights reserved.
2
#RSAC
3
What the attacker sees
#RSAC
Scan for exposed tokens in GitHub
Copy the user token discovered during the scan
Get the account details associated with the token
List role assignments
Create a new backdoor user
Assign Super Admin role to backdoor user
Logon to Okta with Backdoor user and change app assignments
#RSAC
#RSAC
Access files in Box
No luck viewing accounts in Salesforce
Use new rights to view private GitHub repos
Validate missing entitlements to view accounts
Used misconfigured rights to elevate permissions
… It’s super effective!
Accounts are now accessible
Salesforce account data exfiltration
Make S3 bucket public
Download all the files from S3
Steal AWS database contents
So how do you catch this?
#RSAC
Combine multiple streams of metadata
Identify exposures
Validate the contents of the public repo
An unexpected user was created via API
Extremely powerful rights assigned to a new user
Impersonation is afoot
Dive into the events that triggered the alert
#RSAC
#RSAC
Attacker checking access and performing recon
#RSAC
#RSAC
#RSAC
Suspicious privilege escalation
Investigate excessive object access
#RSAC
Sensitive files in Salesforce were accessed
#RSAC
#RSAC
The exfiltration didn’t end with Salesforce
#RSAC
Summing up
48
#RSAC
49
Thank you
#RSAC