![]() Of course, here, the term "stolen credentials" encompasses a variety of cases, including probably phishing and user info bought on the dark web. ![]() They also referred to it as a "low-cost, high-pay-off strategy," which is attractive to an array of attackers. The tactic of using stolen credentials was particularly persistent in BWAA (Basic Web Application Attacks), which the DBIR team defined as an actor "directly" targeting exposed instances, such as web servers and email servers. In comparison, “vulnerability exploitation” is directly responsible for less than 20% of the cases. According to the latest DBIR report, the “use of stolen credentials” is the most common way to breach web applications, with more than 80% of the breaches attributed to this attack vector. Secrets (username and passwords, API tokens, encryption keys, etc.) are the most sought-after digital assets for cybercriminals, and they have never been easier to find: last year, we detected that 6 million secrets were pushed (mostly inadvertently) as commits on public GitHub, twice the amount detected in 2020. All sorts of playbooks can be deployed upon finding leaked credentials, even the most innocuous ones, such as a Twitter API key: from phishing to privilege escalation and data exfiltration. Whether secrets have been left in code because of malintent or negligence, they are always a boon for hackers. Source Code snippet copied to the CSDN blog contained a critical secret possibly causing a massive breach. The bug? A fragment of source code containing the secret for a titanic database of personal information was allegedly copied and pasted onto a developer's blog of the Chinese CSDN network. Likely due to a bug in an Elastic Search deployment by a gov agency. Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. On July 3, 2022, the CEO of crypto-currency giant Binance warned of a massive breach: Hardcoded secrets have never been easier to find You can and should start tackling hardcoded secrets now. In this article, we want to defend a simple fact: focusing on what you can control now can significantly improve your organization's security posture. On the other hand, despite being primarily acknowledged as one of the most common entry points for hackers, a vulnerability remains largely unwatched: hardcoded credentials in source code. While these efforts are more than welcome, for the moment, there is hardly any straightforward way for organizations to improve on that front. Today corporations, open source projects, nonprofit foundations, and even governments are all trying to figure out how to improve the global software supply chain security. High-profile security incidents like the SolarWinds, Kaseya, and Codecov data breaches have shaken enterprises’ confidence in the security practices of third-party service providers. ![]() ![]() ![]() It is clear today that the year 2021 will go down in the annals of IT security as the year when organizations became aware of their inevitable dependence on open-source and, more importantly, of the risks posed by unsupervised supply chains. ![]()
0 Comments
Leave a Reply. |