As counterintuitive and unsettling as it could be to listen to, probably the most devastating breaches hardly ever contain zero-days or nation-state attackers utilizing novel strategies. When inspecting current high-profile incidents, an easier, extra troubling sample tends to emerge.
Whereas expert adversaries have been typically concerned, their entry strategies weren’t unique.They exploited the identical basic weaknesses which have plagued safety for years: uncovered credentials, overprivileged accounts, and misplaced belief relationships.
Besides within the instances we’ll spotlight under, they weren’t concentrating on consumer identities because the inroad – they went after non-human entry paths woven into fashionable IT infrastructure.
At present’s enterprises are more and more pushed by workload-to-workload interactions: Functions name APIs. Software program pipelines deploy code. Providers change knowledge. All of it’s pushed by non-human identities, that are tied to credentials which are typically:
-
Lengthy-lived and infrequently rotated.
-
Hardcoded in repositories or config recordsdata.
-
Tough to watch with typical safety instruments.
Safety groups have spent the previous decade-plus tightening controls for human customers: implementing MFA and SSO, decreasing privilege, and monitoring for anomalies. However workloads and AI brokers have largely been left behind. And attackers understand it.
Many enterprise groups are doing their finest with what’s been out there: secrets and techniques managers to retailer credentials, rotation schedules to cut back threat, and scripts to wire all of it collectively. However storing a credential isn’t the identical as securing an identification. Legacy instruments weren’t designed to provide scale, implement coverage, or present runtime assurance — and so they typically fall quick in dynamic, distributed environments.
Let’s shortly study 5 real-world breaches – all completely different in scope and goal, however united by a shared failure: poor management over how non-human identities authenticate and entry techniques. We’ll additionally share classes realized and the way the Aembit Workload IAM Platform may also help.
1) BeyondTrust: API Key + CVE = Privilege Escalation
In December 2024, BeyondTrust found anomalous conduct in its Distant Assist SaaS surroundings. An API key had been compromised — one which allowed password resets for native utility accounts. However that was only the start.
Attackers paired the static and overprivileged credential with a important command injection vulnerability (CVE-2024-12356, CVSS 9.8). The outcome: unauthenticated distant code execution and privilege escalation throughout techniques. Whereas the breach affected a restricted set of shoppers, it served as a transparent instance of how a single, unmonitored credential can develop into the pivot level for a deeper compromise.
