With over 200 million users in 188 countries, DocuSign is one of the most widely-adopted cloud applications in the enterprise today. Given the ever-increasing number of cyberattacks targeting enterprise cloud apps, the recent DocuSign incident does not necessarily come as a surprise. But what – exactly – happened?
After discovering a growing volume of phishing attacks incorporating DocuSign branding, DocuSign notified the public of the uptick in phishing attacks and began conducting security forensics to determine if a breach had indeed occurred.
Upon conducting the investigation, DocuSign discovered that a breach had occurred, and released the following statement on May 15th:
… today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”
Where is the risk?
Armed with email addresses and the knowledge of their association with a specific service, cybercriminals are well-equipped to launch a spear phishing campaign. This would allow cybercriminals to send emails impersonating DocuSign to known DocuSign users, dramatically increasing the likelihood users would click on links that lead to malicious destinations, infect them with malware, enable OAuth connected applications, or imitate a DocuSign login page to capture credentials.
Why are DocuSign user emails such a valuable payload?
DocuSign users are business professionals that conduct business online, frequently exchanging highly sensitive information,and complete entire transaction processes digitally. These individuals represent an extremely valuable payload for cybercriminals due to the likelihood they engage in a high volume of sensitive digital activities, each representing an opportunity to capture credentials, intercept communications, exfiltrate data, and more.
What else should we consider? How does OAuth fit in?
While in this particular instance, the cybercriminals “only” managed to gain access to “a separate, non-core communication system used for service-related announcements that contained a list of email addresses… “, this incident illustrates a risk vector generally overlooked by organizations today.
We have not been shy in sharing the risk of third-party apps enabled with OAuth, which involves not only federated authentication but also delegated authorization, meaning users are self-enabling applications and empowering them to act on their behalf, often endowing excessive permissions to such apps. It is also worth considering that there is an average of 1,050 unique connected cloud apps per organization.
Across Cisco Cloudlock’s customer base, we have identified that over 85% of organizations have DocuSign connected via OAuth into their SaaS platforms.
Cisco Cloudlock offers insight into the OAuth risk through a range of risk evaluations, including the Community Trust Rating, a crowdsourced security risk rating of third-party applications on a scale of 0 – 100 based on anonymized user data (how many users have trusted versus banned the application). The CTR for the DocuSign application was 53. The risk score of the application, based principally on the access scope, was a moderate 3, which we then increased to 5, out of 5 (the highest risk rank) for now, based on the publicized breach.
In addition to the potential risk of malicious apps or apps that have excessive access scopes, there is an additional threat: the hack of the organization and compromise of the infrastructure behind the apps.
Consider, for instance, the implications of the following scenario. If the malicious individuals gained access to production environments and/or the associated resources, the danger increases dramatically, as the cybercriminals could leverage the permissions users’ granted to the app to accomplish nefarious acts, such as impersonating users or intercepting communications. Given that many third-party apps request permissions including the ability to view, edit, delete, and share all of a user’s files stored within the Google or Microsoft ecosystems, the implications are disastrous.
How Cisco Cloudlock Addresses OAuth Risk
Cisco Cloudlock has been defending against malicious and excessively privileged OAuth-connected applications for years. As a cloud-native, API-based Cloud Access Security Broker (CASB), Cisco Cloudlock offers Apps Firewall, which enables organizations to gain visibility into and control over this incredibly risky form of Shadow IT.
Cisco Cloudlock provides intelligence to assess application risk, including the access scope of the application, a risk level score, and the Community Trust Rating (CTR), a crowdsourced security risk rating of third-party applications based on anonymized user data (how many users have trusted versus banned the application). For more, be sure to watch our brief video discussing OAuth risk.