Enterprise attack surface expansion has become a focal point for IT security teams. The relentless pursuit of securing every endpoint and countering new threats with the latest technology is not just costly; it's also unsustainable. Despite these efforts, breaches continue to occur, often through new or unorthodox attack vectors that bypass traditional perimeter defenses.
To illustrate this crisis, we’ve collected information on five breaches directly attributable to the expansion of the enterprise attack surface. These incidents serve as stark reminders of the limitations of the old normal approach in addressing the modern threat landscape.
T-Mobile: 37 million accounts compromised through API breach
One subplot of the greater enterprise attack surface expansion is the phenomenon of API sprawl. As larger organizations aim to facilitate seamless data exchanges with third parties, vendors, suppliers, and service providers, they construct core systems designed to expose data through APIs. However, as business needs evolve, new APIs are introduced while older ones often remain unmaintained or unsupervised, leading to an unmitigated sprawl.
T-Mobile's disclosure of the massive data leak lacked many details, but eventual reporting and analysis shed light on the incident. It was revealed that sensitive personally identifiable information (PII) was compromised, affecting around 37 million accounts. The leaked data included “basic customer information” according to the company, exposing details such as name, billing address, email, phone number, date of birth and business details like the number of phone lines attached to the account and what plans the customers were using.
While organizations may be slow to adopt solutions, there are of course ways to address API security challenges. A good first approach is zero-trust: securing APIs with authorization and authentication mechanisms.
By adopting these measures, even if an API goes unmaintained, the worst-case scenario is that the data will become inaccessible, rather than exposed to exploitation. More advanced approaches such as logging and monitoring can help detect and prevent abuse, such as unusual spikes in usage, for further protection.
MGM Resorts: $100 million lost through social engineering
We like to explain to organizations that every person within their environment, from employees to customers, are part of their attack surface and a potential target for cyber threats. Privileged users and VIPs are the key target of every wannabe attacker, as illustrated by the October 2023 attack on MGM Resorts.
Later analysis (and gloating blog posts from the attackers themselves) revealed the attack vector: the IT service desk. The attackers employed voice phishing (vishing) to impersonate MGM employees and manipulate the service desk personnel. They did extensive research on social media, including LinkedIn, to create a convincing impersonation to deceive and gain the trust of the helpdesk staff.
After being granted initial access from the service desk, they quickly established a foothold within MGM’s infrastructure, accessing critical systems like the MGM Okta instance and Azure tenant. This unauthorized access allowed them to escalate privileges, eventually attaining administrator rights. The attack which, according to MGM, cost around 100 million dollars, impacted the main website, online reservations systems, and in-casino services such as slot machines, card terminals and ATMs, leading to a near-complete operational shutdown.
While specific details of the attack remain undisclosed, enhancing identity and access management (IAM) protocols and implementing more secure verification processes for help desk staff could have mitigated the impact. The help desk is traditionally the team that can give out the “keys to the kingdom” if proper verification procedures are not in place (or not followed).
Sisense: Analytic dashboards as a gateway to breaches
Next up, we have a recent breach at business intelligence company Sisense. As KrebsOnSecurity writes, Sisense products enable companies to monitor multiple third-party online services on a single dashboard.
The severity of the breach prompted CISA, the US Cybersecurity and Infrastructure Security Agency, to initiate an investigation, advising all customers to reset any credentials and secrets shared with Sisense. The CISA-involvement was motivated by the fact that the breach impacts critical infrastructure sector organizations.
According to unverified information by Krebs, the breach may have originated from Sisense's self-hosted Gitlab code repository, which housed credentials for Amazon S3 storage. According to the reputable blog, “sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords and even SSL certificates.”
This third-party breach is a classic example of how trust works (or in this case, fails) in the modern SaaS era. The tokens and credentials shared with Sisense made the service provided by the company possible, surfacing and aggregating information for their customers.
However, access tokens, now in the hands of attackers, could be reused to authenticate as Sisense customers, potentially leading to follow-up attacks.
An even bigger issue is that there’s no immediate mitigation for the leaked secrets. Rotating passwords and invalidating access tokens is tedious manual work for most organizations, and not every service supports fully revoking these tokens.
The unfolding drama at Sisense knocks on hard truths: securing dev environments is both very hard and very critical. The codebase, the CI/CD pipeline and the build phase are the most vulnerable pieces of a software company infrastructure. A breach in these areas could lead to secret backdoors in the software, or like in this case, reveal secrets that lead to data leaks. Privileged access management (PAM) solutions offer crucial mitigation for attacks on developer accounts - protecting this access is crucial for any software company which hopes for a long and profitable existence.
X.com: Childish mistakes could lead to disaster
Let’s continue with another fresh story. X.com (formerly known as Twitter) made a significant change to their service as part of its rebranding campaign. The change involved replacing every occurrence of 'twitter.com' in posted links with the new domain 'x.com'. However, the implementation lacked checks to ensure that only relevant links were modified. This meant that not only were URLs pointing to ‘twitter.com’ rewritten, but any URL containing the ‘twitter.com’ string.
An illustration: a post linking to fedetwitter.com was unilaterally changed to fedex.com, netflitwitter.com would be changed to netflix.com – practically any domain ending in X would be subject to a potential spoofing attempt because of the botched implementation. The company eventually reversed the change, but not before security experts started to register the potential spoofing domains en masse to stave off attacks and deny the opportunity to phishers.
This is a great example that highlights how unilateral actions by independent service providers can also expose organizations to threats. And yes, social media and phishing should absolutely be considered part of the enterprise attack surface, with regular monitoring for changes like the one above. While this was not a breach in the traditional sense, it’s a clear violation of the trust we put into web services.
LastPass: The complete nightmare
Finally, the LastPass breach. This is going to be the textbook example of enterprise attack surface expansion. The reason: this attack combines all the horrors that keep a CISO up at night and rolls them into a single devastating attack. Let’s review the details: a LastPass engineer, working remotely from home on a personal computer, accessed the corporate network, thus exposing the whole infrastructure to attackers.
The attackers exploited a security vulnerability of a software installed on that home PC: Plex, a multimedia software, used to stream video or music across the home. Using this vulnerability, attackers managed to install a keylogger on the computer and steal the login credentials of the engineer.
Sure, a proper PAM solution could have solved this issue by safeguarding passwords against keyloggers and enforcing password resets (cycling) after use, but the broader implications are alarming.
This incident showcases the inadequacy of traditional methods for managing the expanding attack surface. Security organizations face insurmountable challenges in tracking and patching vulnerabilities across the myriad applications used by employees on their personal devices. And banning these devices from the corporate network is unfeasible: BYOD is a decade-old approach, retreating to corporate-issued and fully-controlled devices is just not possible for most organizations.
Conclusion
These breaches underscore the ever-evolving challenges facing modern cybersecurity efforts, particularly in the realm of enterprise attack surface expansion. From API sprawl to social engineering tactics and vulnerabilities in remote work environments, these stories highlight the critical need for organizations to adopt proactive and adaptive security measures. It's crucial for organizations to prioritize robust security strategies, including privileged access management and identity and access management, to mitigate risks and safeguard critical data.