5 Takeaways from Darknet Diaries – Explaining the Intricate Web of SaaS Security

If you pull up any list that compiles the most popular/best/must-listen cybersecurity podcasts, there is a near-100%  chance "Darknet Diaries" will appear on it. If you aren't familiar, in each episode, the host, Jack Rhysider, dives into true stories about hacking, cybercrime, and the dark web. The guests explaining range from threat hunters and intelligence agents to the hackers themselves, sharing details of their exploits, all compiled and told in ways that are  captivating for technical and non-technical audiences. With hundreds of thousands of downloads per episode, this show is in an elite class of podcasts, and in the top 10 of technology podcasts, not just cybersecurity podcasts.

Clearly, we're big fans of the podcast. And the latest episode, #148, titled "Dubsnatch", turned out to be one of the best breakdowns of the complexity of monitoring SaaS applications and their security, and just how easily they can be compromised. However, this episode puts a twist on the concept, demonstrating through the world of dubstep music and teens desperate to get new releases before anyone else heard them.

We wanted to highlight some of the takeaways from this episode because it demonstrates so many of the challenges we see businesses facing every day from security teams trying to figure out how to secure these web-based applications. And if you haven't heard this episode yet, we highly recommend giving it a listen first.

(As a quick warning, there might be mild spoilers ahead from this point on, so read at your own risk.)

Takeaway #1: Access to others' data often doesn't require sophisticated hacking skills

‍

So how did a bunch of dubstep-obsessed teens get into major recording artists' files to listen to music early? It wasn't spending days, weeks, or months coding sophisticated zero-day attacks. Instead, it was the most popular point of entry for all cyber attacks: stolen passwords.

After a few major breaches that ended with leaking millions' of peoples usernames and passwords onto the dark web, getting in often is a matter of finding out who has reused passwords across multiple services or used simple tricks to "change" the same core password across multiple services. (If you're starting to look around nervously because you're guilty of that, know that: a) you're not alone, and, b) you really should go change all your passwords.)

Finding these types of lists isn't hard, either. The guest on the episode was able to access lists upon lists of major breaches through a subscription service on the dark web for about $20/month.

Takeaway #2: They use public information available to anyone

‍

Not all of the valuable information the guest found was for sale on the dark web. Many times a trove of information is available on the public web for anyone to find and use for misdeeds. If the teens couldn't use stolen credentials to access an artist's files, they would start looking for collaborators, business managers, agents, record label execs who would be sharing work-in-progress music across these web-based services. The teens would look for credentials of people who would need access to collaborate with artists on the leaked lists to see if anyone had reused passwords across many accounts/services (hint: they had).

And where did they find all this employment information, associates, friends, and other connections to break into or learn about upcoming releases and other promotional information? All this information LinkedIn, X (Twitter), websites listing staff are all fair game when trying to research who would have high levels of access on these services, and provide a font of knowledge for anyone.

Takeaway #3: Persistent threats aren't always "advanced"

‍

Getting into an environment you're not supposed to be in is one thing, but staying there is quite another. The teens managed to manipulate the settings on storage services such as Dropbox so that parent folders were all shareable with links, and new burner accounts were added to the folders that were already widely available. Jack Rhysider did a great job of summarizing this:

They accessed Skrillex’s manager’s box.com account…and they saw these folders there and made the parent one shareable. What this means is that anyone with that link can now view the contents of that folder and all the subfolders without needing a username or password. So, now they don’t need to log back in to see what new files were uploaded. They could just use that shared link to get in there and view it without logging in at all.

On top of that, the manager had the ability to invite new collaborators. So, they just made a new e-mail account and invited themselves as collaborators, and then told the manager, hey, look, your account isn’t secure; you should change the password, which fixed the manager’s account so that no one else could use this same exploit to get in and no other hacker could get in the same way. This is a backdoor persistence into Skrillex’s whole media company. But it’s a backdoor in a way that I never thought would be a backdoor…If I say, oh, I have backdoor access to box.com, you’re thinking, oh, wow, you’ve got some malware planted and reverse HHS shell. Nope, just a shared link. Oh. Yeah, it gives you a totally different perspective of what a backdoor even is.

Takeaway #4: Keeping track of these types of access issues manually is impossible

‍

The reason businesses have rushed to adopt SaaS applications and cloud services is because of their immense collaboration possibilities. However, with all those logins and sharing, understanding who exactly has permissions to see what, let alone if the files that were shared had their access revoked after the project was completed, has quickly become impossible to oversee. This problem is true of any business SaaS application that requires logins and permissions, of course. 

Without powerful tools that specialize in SaaS applications, their connections, access, permissions, usage, and configurations, these types of attacks will keep coming at a faster rate.

Takeaway #5: Ghost logins and connections can keep threat vectors open for years

‍

At Reco we talk a lot about shadow IT: SaaS applications that have been connected into a business environment without the security and/or IT teams' knowledge. The same is true of shadow logins, which are logins from other accounts or services that are running without anyone knowing it. Jack Rhysider gives the example of a common tool, Zapier, and how these automation connections could pose security problems:

Let’s consider Zapier and how it can be used maliciously. Zapier is a tool that lets you automate things. So, if I get a new invoice in my email, I can automatically upload that invoice to Dropbox so that the accounting team can see it. Zapier can do that for you. But in order for that to work, it’s gotta have the ability to see your inbox and have the ability to view and upload things to your Dropbox.

So, to set it up, you need to give it permission to do that. Well, now, if a hacker gets into your Dropbox…and they wanted to maintain their access…and they could see that you hooked up Zapier to do automation…they can create their own fresh Zapier account that they control and connect it to your Dropbox. This could give them visibility into your Dropbox from Zapier. You wouldn’t even know they’re there, because to you, all you see is that Zapier has permission to view your files. But you set that up when you were setting up your invoice automation thing.

This is what I mean by a ghost login, someone who’s in your account who doesn’t even need a username or password to stay in. Change the password all you want. They’re still gonna stay connected to your stuff.

These types of connections and usage are critical to monitor, yet few businesses know they can do this, let alone that they should.

Conclusion: web-based attacks are here to stay, so we need to protect ourselves

‍

Believe it or not, these takeaways are only reaching the surface of the entire episode. But one thing is clear: you don't have to be an advanced hacker with coding experience to complete the entire attack kill chain.

1. Reconnaissance: Researching dubstep artists, their managers, associates, and what kinds of services they were using. All of this information was available via public sites such as Google, LinkedIn, Twitter (X), etc.
2. Access: Purchasing lists of previous breaches off the dark web (often these are available for free), seeing if any of the people researched in the previous step had reused passwords, and attempting logins with those stolen credentials
3. Lateral Movement: Searching through these cloud-based directories and SaaS applications such as Dropbox, looking at file structures, seeing where they can go and what they have access to within that service, escalating privileges and creating shared links that don't require logins.
4. Persistence: Creating more burner logins in the systems and share links that don't require any logins, turning off notifications for users of new logins, and even ghost accounts from other connected applications that don't look like any human logins
5. Exfiltration: Taking files and data out from these services for your own personal use. 

Many modern attacks contain at least one thing in common with the attacks described in the episode. Many hackers use these "less sophisticated" methods because they work. People reuse passwords, grant higher permissions to services to reduce friction and move faster, don't turn on MFA for logins, and don't monitor these applications' connections, either. These are all critical attack vectors that often end in breaches.

By implementing and requiring good security practices and culture (unique passwords, MFA, training on good SaaS habits, etc.) companies can protect themselves immediately. Just as importantly, however, is the need to implement a SaaS security solution that can continuously monitor for these connections, usages, data exfiltrations, unusual behaviors, configurations, best practices, over-permissioned users, ghost logins, shadow IT, and more.

‍

SaaS ecosystems are complex and growing more and more so every day. Reco can help continuously monitor and resolve potential threats in this environment to protect yours. Let's take a look at each of these steps:

Access: Reco monitors access to all SaaS applications connected to your environment and alerts administrators when new admin users, users are overprivileged, ghost logins, and former users whose credentials haven't been wiped are signing in. The platform triages these alerts for the highest priority/riskiest accesses and gives actionable suggestions on how to resolve these issues.

Lateral Movement: Reco alerts and triages if there is unusual activity from users, sudden escalated privileges to admin accounts, and any other types of lateral movement threat actors perform when they gain access to a SaaS application.

Persistence: Reco finds and alerts if access to SaaS applications becomes less secure, such as turning off MFA, removing login notifications, ghost accounts, changing security configurations, and more. These steps are what threat actors use to stay into an environment after access, and their goal is to hide their activities and go unnoticed. Reco notices.

Exfiltration: If large files are suddenly moving out of your environment suspiciously, Reco can take action to stop this and give security teams time to find out how and why this is happening.

Threat actors know that SaaS environments are complicated webs of interconnected dependencies and that managing these types of access and activities manually is impossible. With Reco, though, this web not only becomes manageable, but secure. You can request a demo to learn more.

‍