Mitigating API Token Risks for NHIs: Lessons from a Recent Security Breach

With the rise in the number of and awareness around non-human identities (NHIs), there’s been more pressure to better manage the access that these identities have across networks and environments. 

The goal of this blog is to educate readers about the role that legacy PAM approaches to NHI management played in a recent security breach suffered by the US Treasury, and to discuss potential approaches that customers and vendors in the identity space can adopt to strengthen their security posture.  

US Treasury Targeted via PAM Vendor Vulnerability 

Newly discovered Common Vulnerabilities and Exposures (CVEs) identified in the core components of their privileged access management (PAM) tool have been upgraded to the Known Exploited Vulnerabilities (KEV) catalog managed by the US Cybersecurity and Infrastructure Security Agency (CISA). 

What is a CVE? 

Common Vulnerabilities and Exposures (CVE) is like a reference list for known cybersecurity issues. Think of it as an index that helps security professionals keep track of and address potential threats. 

Each vulnerability gets a unique ID, making it easier to identify and share information about specific security flaws. This helps companies and developers stay informed and take action to protect their systems. 

Identified Impacted Legacy PAM Modules and CVEs 

• BT Privileged Remote Access (PRA) - CVE-2024-12356 
• BT Remote Support - CVE-2024-12686 

How are CVEs Scored? 

CVE scores are determined using the Common Vulnerability Scoring System (CVSS). This system helps assess the severity of vulnerabilities by assigning a numerical score based on several factors. Here’s a simplified breakdown: 

1. Base Score: Measures the fundamental characteristics of the vulnerability, such as: 

• Exploitability: How easily can the vulnerability be exploited? 
• Impact: What kind of damage can the vulnerability cause? 

1. Temporal Score: Adjusts the base score over time, reflecting factors like: 

• Exploit Code Maturity: Is there an existing exploit code? 
• Remediation Level: Are there ways to fix or mitigate the vulnerability? 

1. Environmental Score: Considers the specific context of an organization, such as: 

• Modified Base Metrics: Adjustments based on how critical the systems are to the organization. 

These factors combine to give a final CVSS score, typically ranging from 0 to 10, with higher scores indicating more severe vulnerabilities. 

This scoring helps prioritize vulnerabilities, aiding in better risk management. The two CVEs identified in the recent breach are as follows: 

• BT Privileged Remote Access (PRA) - CVE-2024-12356 – CVSS: 9.8 
• BT Remote Support - CVE-2024-12686 – CVSS: 6.6 

What Makes These CVE Scores Worrisome? 

These CVEs highlight a command injection vulnerability that allows attackers to insert unauthorized commands into a system through a vulnerable application. 

Think of it like sneaking in extra unpaid stops on an Uber/Lyft driver’s route without them realizing it. If exploited, this vulnerability could give attackers command-line access to the environment, allowing them to steal, delete, or modify data or install malware. Their scores indicate their relative severity, meaning that they should be addressed quickly to avoid exploitation and compromise. 

What Does This Mean for Legacy PAM Customers? 

Most legacy PAM tools originally created strictly for on-prem environments struggle to meet modern compliance requirements while securing an organization's most valuable data and resources. 

Managing access for both human and non-human identities with these older solutions often demands years of cybersecurity experience, a deep understanding of network and data structures, and the heavy workload of deploying, managing, and patching complex servers and various access points like proxies, gateways, and jump servers. 

To make matters worse, there's also the need to maintain and report on static, over-privileged service accounts, using outdated session recording, and password management methods. 

Imagine living in a high-tech smart home with fingerprint locks and AI security, but you still keep a spare key under the mat at your front door. No matter how many protections you have in place, a burglar could find that key in seconds and waltz right in. 

Static credentials and other legacy PAM practices are the "key under the mat" of cloud security — easy to find and exploit. 

The good news is there are alternatives to legacy PAM solutions that are better suited to meeting the modern challenges of securing access in cloud environments today. Those who choose to stay with their legacy PAM solutions, however, will have to provide ongoing support and maintenance throughout their lifespan. 

Protecting Privileged Identities with Modern Multi-Cloud PAM Solutions 

Given the dynamic nature of modern environments, cloud permissioning and access management need to keep pace with these rapidly changing requirements. 

Just-in-time (JIT) ephemeral credentials have become the modern standard for permissioning, reducing the likelihood that attackers can find and exploit access in the environment. This should be extended to both human and non-human users, with API tokens being dynamically generated with finite lifespans for specific task completion to minimize the risk of misuse or unauthorized access. 

Granular, policy-driven and role-based access controls (RBAC) ensure that tokens are issued with the least privilege required for specific tasks. This reduces the risk of potential compromise. For any tokens and credentials that cannot be made ephemeral, they should be regularly rotated to prevent exploitation of outdated credentials. 

Centralized identity visibility and audit trails provide comprehensive oversight and monitoring of API token usage to quickly detect malicious activities. Robust, auditable access logs make it easier to identify anomalies quickly for more rapid incident response. When implemented with other Zero Trust principles, this ensures that every access request is verified against security policies. 

This breach is one of many that shows how critical secure identity and access management is in maintaining a robust cloud security posture. Cloud-native solutions designed with automations, other NHIs, and human identities alike can more readily meet the flexible access requirements that modern teams expect, while eliminating the risk of static, over-privileged accounts and the patchwork visibility of complex legacy tools. 

Britive is a multi-cloud PAM platform born and built for the cloud’s speed and flexibility. Want to learn more about the platform and see it in action? Schedule a demo with a member of our team of cloud identity experts.