Vault Hacking: Service Account Secrets Exposed! #shorts

Now, after they read the manual, they learn that that access token can access the development environment of the HashiCorp Vault. Anybody not familiar with Vault? Uh it's basically secrets management for developers and for cloud environments. Um it's kind of like LastPass from a development point of view. And so you got a Vault instance hosted inside of your environment. It's got access to all your secrets. That's what it does. Um and then this access token, they find that they can access the Vault path uh without MFA of an application account. And now they have now this one's red because this is a this is a superuser for this application account, never expires, and they can do anything they

want to that application. While they were doing their their tria their recon with the fishing attack or the the the fishing this the credentials stolen through fishing, they find that that there's a a Google group that's open anybody in the company in the they can join that is a these this is a Google group for a service account that has admin privileges. So they just join their compromised employee account to this Google group and request a password reset. And as soon as you join a Google group, you get all the emails from that Google group. So they say, "Hey, I forgot my password. Reset it." Email comes in, they reset the password. Now they've got access to a service account

that doesn't have MFA. Um when they did this, 3 days later, one of the people that was on that Google group said, "Hey, I got this email. Is that okay?" Cuz it can't they did it on like a Friday evening. So they had all week long with no detections, no anybody realizing that that password had been reset and account had been compromised.