June 17, 2021

EA Games Credentials Leaked via Slack Cookies

Entry Type
Security Guidance
Threat Type
Vulnerability
Platform(s) Affected
Security Guidance
Vulnerability

Recommendation for Lookout Admins

Lookout administrators should be sure to leverage the granular Cloud Access Security Broker (CASB) access policies to prevent unauthorized logins and access to corporate infrastructure. These policies can be set up based user and device context such as the location they’re logging in from and whether the action is taking place from a managed or unmanaged device. Implementing these policies can protect corporate SaaS apps and the data with them from being accessed by malicious or unauthorized users.

Overview

In early June, Electronic Arts (EA) disclosed a data breach that resulted in hundreds of gigabytes of source code for various video games being stolen. Since then, it’s been discovered that the attackers gained access to EA’s infrastructure through stolen Slack cookies that contained login credentials belonging to employees. With those credentials, attackers were able to access certain Slack channels and pose as EA employees to the IT team to request a new MFA token and gain access to the organization’s infrastructure. The group behind the attack claims they were able to repeat this process on two occasions.

Lookout Analysis

Compromised user credentials are one of the biggest challenges for IT and security teams because an attacker can disguise themselves as a legitimate user and, as shown in this incident, pose as that user to IT to bypass security measures. Therefore, it’s so important to have context-based login and access policies that can observe and baseline user behavior to detect anomalous activity such as an abnormal login location or massive data exfiltration. In addition, cloud services are so heavily integrated that attackers can move laterally through the infrastructure until they find the most valuable data they can exfiltrate.

Recommendation for Lookout Admins

Lookout administrators should be sure to leverage the granular Cloud Access Security Broker (CASB) access policies to prevent unauthorized logins and access to corporate infrastructure. These policies can be set up based user and device context such as the location they’re logging in from and whether the action is taking place from a managed or unmanaged device. Implementing these policies can protect corporate SaaS apps and the data with them from being accessed by malicious or unauthorized users.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 15, 2023

Scattered Spider

Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign

September 19, 2023

CVE-2023-4863

September 18, 2023

ASPL 2023-09-01 / CVE-2023-35674