Moblig posted his step by step process to identify an exposed account and use it to expose sensitive information. That post can be found HERE.
Why care? It is interesting to see all of the common defenses that were pointed out typically exist to prevent this from happening. Key points I took away are the following:
- Security best practices such as enforcing MFA and having a EDR installed dramatically reduces the risk of this attack. Knowing this, the attacker is looking for personal devices that don’t have security best practices enforced.
- Recon tools such as WhiteIntel help attackers weed through the noise and find an organizations weakest link … aka somebody with a personal device that has access to sensitive resources.
- Associations can be the weakest link. In this example, they searched Microsoft and found nothing but searching service-now to find a association to what they were looking for.
- One account was found …. and that one fail led to exposing a bunch of data.
This post also shows the timeline of the attack and when it was exposed to the bug bounty program. Lastly, I believe this is great to see to help enforce what we all continue to hear, which is attackers to break in … they log in.