“The messaging and actions prioritize customer security and don’t gloss over the unknowns. “Heroku’s communication has been regular and transparent,” Bisson said. Bisson said the nature of that breach means attackers had access to multiple classes of information stored in different locations, so it’s not surprising that the scope has grown as Heroku's investigation continues. “Ĭasey Bisson, head of product and developer relations at BluBracket, said the Heroku breach disclosed on April 13 that resulted in theft of both OAuth tokens and the client secrets necessary to use them was very serious. When it comes to user log-ins, we always recommend a vault with unique passwords, and a second factor for any critical accounts. This makes it much more difficult for a malicious actor - or an insider threat- to steal a credential. The system can confirm the requester is authenticated and is in a specific IP address. “The system does not have the credentials, they are retrieved at runtime, and not long standing on the systems. “The good news is that there’s a solution, secrets management that stores those credentials in a secure vault,” Lurey said. Examples: the password for a database or an API certificate. “Security teams also need to leverage that context and implement automated remediation to help aid in the prevention of unauthorized access to critical systems and applications.”Ĭraig Lurey, co-founder and CTO at Keeper Security, said stands as the latest in a series of high profile incidents related to malicious actors stealing infrastructure secrets: machine-to-machine credentials that give one system access to another one. “Event correlation, and extracting the business-context of all activity helps determine what is normal versus what presents risk,” O’Connor said. O’Connor said in regard to the supply chain attack itself, beyond credential management, it would help to have better visibility across OAuth applications to understand which applications are installed including all sanctioned and unsanctioned apps. “We have rotated internal Heroku credentials and put additional detections in place, said the researchers, who added that they are “continuing to investigate the source of the token compromise.”Ĭredential management of the OAuth tokens was a big driver in this attack, and it’s coincidentally a part of the security recommendations from both GitHub and Heroku, said Corey O’Connor, director of products at DoControl. Given the most recent database compromise, Salesforce has ensured that all Heroku user passwords are reset and that potentially affected credentials are refreshed. By April 16, Heroku revoked all GitHub integration OAuth tokens, which preventing customers from deploying apps on GitHub via the Heroku Dashboard. The researchers said GitHub identified the activity on April 12 and notified Salesforce on April 13, when Heroku started its investigation. ![]() Heroku said in a blog post that the original attack started on April 7 and by April 9, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub that contained some Heroku source code. In a Thursday update to the stolen GitHub integration OAuth tokens case reported last month, Salesforce owned Heroku said the company’s investigation found that the same compromised token that was used in April’s attack was used to gain access to a database and exfiltrate the hashed and salted passwords of customer user accounts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |