Cyber Attack Uncovered: How Phishing Led to Data Center Breach #shorts

The first identity that they stole was a sales employee through SMS phishing. Um they got a link that just said, "Hey, your your login's about to expire." And it said login-elastic.co instead of log instead of log elastic.co. And while the attackers have it, now they have an identity token. It's It's really it's just a collection of Python scripts. And you can take a session token for Slack, you plug it into Truffle Hog, and it will scan the entire Slack environment for known strings of secrets. And just to kind of full disclosure here, I work for Elastic, a screenshot had a GitHub access token in the screenshot somewhere. And so that Boom. So now they go in, they clone all

the private repos, they keep reading the freaking manual, and they learn more and more about the environment. Anybody not familiar with Vault, uh it's basically secrets management for developers and for cloud environments. And now they have Now this one's red because this is a This is a super user for this application account, never expires, and they can do anything they want to that application. While they were doing their uh their tria their recon with the phishing attack or the the the phishing this the credentials stolen through phishing, they find that that there's a a Google group that's open anybody in the company in the you they can join that is a these this is a Google group

for a service account that has admin privileges. And so while they've got that access and it's the weekend, they find that there's a production Vault instance and they can access pro production Vault. Well, now with this AWS key, they find that they could delete our entire data center. Effectively, game over at this point.