June 17, 2021
Entry Type
Security Guidance
Threat Type
Vulnerability
Platform(s) Affected
Security Guidance
Vulnerability
Recommendation for Lookout Admins
Lookout administrators should be sure to leverage the granular Cloud Access Security Broker (CASB) access policies to prevent unauthorized logins and access to corporate infrastructure. These policies can be set up based user and device context such as the location they’re logging in from and whether the action is taking place from a managed or unmanaged device. Implementing these policies can protect corporate SaaS apps and the data with them from being accessed by malicious or unauthorized users.
Overview
In early June, Electronic Arts (EA) disclosed a data breach that resulted in hundreds of gigabytes of source code for various video games being stolen. Since then, it’s been discovered that the attackers gained access to EA’s infrastructure through stolen Slack cookies that contained login credentials belonging to employees. With those credentials, attackers were able to access certain Slack channels and pose as EA employees to the IT team to request a new MFA token and gain access to the organization’s infrastructure. The group behind the attack claims they were able to repeat this process on two occasions.
Lookout Analysis
Compromised user credentials are one of the biggest challenges for IT and security teams because an attacker can disguise themselves as a legitimate user and, as shown in this incident, pose as that user to IT to bypass security measures. Therefore, it’s so important to have context-based login and access policies that can observe and baseline user behavior to detect anomalous activity such as an abnormal login location or massive data exfiltration. In addition, cloud services are so heavily integrated that attackers can move laterally through the infrastructure until they find the most valuable data they can exfiltrate.
Recommendation for Lookout Admins
Lookout administrators should be sure to leverage the granular Cloud Access Security Broker (CASB) access policies to prevent unauthorized logins and access to corporate infrastructure. These policies can be set up based user and device context such as the location they’re logging in from and whether the action is taking place from a managed or unmanaged device. Implementing these policies can protect corporate SaaS apps and the data with them from being accessed by malicious or unauthorized users.
Subscribe to get the latest threat reports and insights
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Other Related Threats
September 15, 2023
Scattered Spider
Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign
September 19, 2023
CVE-2023-4863
September 18, 2023