WithSecure Identity Security in Action - How a Simple GitHub Leak Led to a Major Security Breach

An attacker exploited identity information found on GitHub to bypass security measures and gain access to a company's Azure portal. By identifying a misconfiguration in conditional access policies, they bypassed MFA and created a malicious application to access company emails. The attack was eventually detected and monitored by WithSecure Elements Identity Security, highlighting the critical role of identity security in protecting sensitive information and preventing breaches.

Try Elements

Check product page

1.

Initial Compromise and Scope Enumeration

The attacker discovers identity information embedded in a GitHub project. Using this information, they sign in via Resource Owner Password Credentials (ROPC) and receive a token. With the compromised credentials, the attacker enumerates available scopes and finds that they can read conditional access policies.

2.

Exploitation of Misconfiguration

The attacker reads the conditional access policies and identifies a misconfiguration: the London office is excluded from Multi-Factor Authentication (MFA). By spoofing their IP address to appear as if they are in the London office, the attacker bypasses MFA. This allows them to sign into the Azure portal without additional authentication.

3.

Persistence and Detection

In the Azure portal, the attacker creates a malicious application and grants it read access to company emails by adding a service principal to the application registration. This action secures persistent access to the company's email system. The attack chain is monitored in the Element Security Center, where the initial ROPC sign-in triggers a broad context detection. Subsequent actions, such as the new app registration and adding a new service principal, are detected and detailed, including IP addresses and recommendations for remediation.

Check this out