Exposed CRM Credentials Enable Threat Actors to Access Organizations’ Critical Infrastructure

We have identified an increase in dark web discussions among threat actors, regarding CRM exploitation tactics and exposure of CRM credentials across code repositories such as Github and Bitbucket
Updated on
April 19, 2023
Published on
May 20, 2022
Subscribe to the latest industry news, threats and resources.
Category: Vulnerability Intelligence Sub-Category: Exposed End-point Credentials Industry: Multiple Region: Global

Executive Summary

  • Increase in dark web chatter on exploiting CRMs to access organizations’ critical infra.
  • Exposure of CRM end-point secrets and credentials on code repositories.
  • Initial access to organizations’ critical infrastructure enables ransomware deployment and data exfiltration.
  • Access to individuals’ and CXOs’ PII and credentials.
  • Loss of revenue and reputation.
  • Real-time scanning and takedowns of code repos exposing CRM credentials.
  • Monitor underground intel on threat actor tactics related to CRM solutions like Zoho, Hubspot, Salesforce etc.
CloudSEK’s contextual AI digital risk platform XVigil has identified:
  • An increase in dark web discussions among threat actors, regarding CRM exploitation tactics
  • Wide-spread exposure of CRM credentials across code repositories such as Github and Bitbucket
The above threats, in conjunction, pose a significant threat to organizations that use CRM (Customer Relationship Management) solutions such as Salesforce, Zoho, Hubspot, etc.


CRM Credentials Exposed on Github

XVigil’s Cyber Threat Monitor has identified several code repositories disclosing sensitive information and CRM secrets and credentials. [caption id="attachment_19401" align="alignnone" width="1280"]Code repositories exposing CRM credentials, identified by XVigil’s Cyber Threat Monitor Code repositories exposing CRM credentials, identified by XVigil’s Cyber Threat Monitor[/caption]   The following example illustrates the code repository of a Salesforce DX guide for an organization’s development team. This repository discloses sensitive information, including an employee’s Salesforce credentials. [caption id="attachment_19402" align="alignnone" width="1114"]Salesforce DX Guide for the Development Team Salesforce DX Guide for the Development Team[/caption]   This repository was exposing, in plaintext, the employee’s:
  • Salesforce username
  • Salesforce password
  • Consumer ID
  • Consumer Secret
[caption id="attachment_19403" align="alignnone" width="1280"]Code repo file exposing plain text credentials and secrets Code repo file exposing plain text credentials and secrets[/caption]  

Increase in Darkweb Discussions Regarding CRM Exploitation

XVigil has identified an increase in discussions, on cybercrime forums, regarding CRMSs. Here are some key examples:
  • Threat actors discussing CVE-2021-44077, a vulnerability in Zoho ManageEngine CRM software.
[caption id="attachment_19404" align="alignnone" width="1853"]Discussion around CVE-2021-44077 vulnerability in Zoho Discussion around CVE-2021-44077 vulnerability in Zoho[/caption]  
  • A threat actor detailing how logs from CRMs like Zoho, Sugarcrm, Hubspot, and Salesforce can be leveraged to gain access to the critical infrastructure of an organization. CRM logs are sold on various underground markets.
[caption id="attachment_19406" align="alignnone" width="1558"]Discussion on obtaining CRM logs from corporates Discussion on obtaining CRM logs from corporates[/caption]  

How Exposed CRM Secrets and Darkweb Discussion Enable Large-Scale Attacks

  • Attackers regularly use manual and automated scanners to monitor public code repositories like GitHub for secrets and source code leaks.
  • Actors use the credentials, in conjunction with vulnerabilities, exploits, and CRM logs available on cybercrime forums, to gain access to the organization’s critical infrastructure.
  • These sensitive details also enable them to move laterally across the organization, deploy ransomware, exfiltrate data, take over user accounts, and maintain persistence.

Impact & Mitigation

Over 2 million corporate secrets were detected on public GitHub repositories in 2020. These leaked secrets were leveraged to carry out major attacks on Starbucks, Equifax, and the United Nations.
Impact Mitigation
  • The leaked information could be used to gain initial access to the company’s infrastructure.
  • If the leaked data is not encrypted, it could enable account takeovers.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
  • Patch vulnerable and exploitable endpoints.
  • Do not store unencrypted secrets in .git repositories.
  • Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Scan repositories to identify exposed credentials and secrets.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations