On April 15, Delinea confirmed a vulnerability in the Delinea Platform and Secret Server Cloud that has now been patched.
In an emailed statement to SC Media, Delinea said it has provided a remediation guide to its local customers to fix the vulnerability.
“Our engineering and security teams conducted reviews for any evidence of a tenant data breach,” a Delinea spokesperson said. “At this time, we have found no evidence that any customer data was compromised and there have been no attempts to exploit the vulnerability.”
Organizations with on-premises installations of Delinea Secret Server Cloud should update it immediately, security professionals said. If left unpatched, the vulnerability, which is a flaw in the SOAP API, could allow attackers to bypass authentication, gain administrative access, and exfiltrate secrets.
“Exploiting the vulnerability would bypass authentication entirely, essentially allowing attackers to bypass security measures and access privileged credentials,” said Sarah Jones, cyber threat intelligence research analyst at Critical Start.
With these privileged credentials in hand, attackers gain significant control over the network, Jones said. They can leverage this access to move horizontally across the network, gradually gaining access to more systems and data, Jones said.
“In addition, they can escalate their privileges to the highest level, giving them full administrative control,” Jones said. “This level of access can be used to deploy malware to steal data, disrupt operations, or launch crippling ransomware attacks. At its core, this vulnerability represents a major security breach waiting to happen, which could lead to a complete network compromise.”
Nick Rago, vice president of product strategy at Salt Security, added that bypassing API authentication would essentially allow a threat actor to not only obtain the keys to the castle, but potentially every door, drawer, and cabinet inside the castle.
“While Delinea claims to have patched its cloud-based services, it is up to its on-premises customers to take the time to upgrade/patch their systems to protect against this threat,” Raju said. “Attackers are well aware that most organizations do not have API security solutions to protect their internal API assets. So, this scenario is one where an attacker can easily stay slow and low under the radar, evading detection, while leaking Secrets.
Thomas Siu, chief information security officer at Inversion6, noted that the attackers in the MGM Grand Ransomware attack gained undetected access to the casino's PAM service, enhancing the attacker's ability to deploy malware using administrator accounts to take control of core IT services.
“The twist in this case is that after Delinea patches the service, customers can use it to quickly and comprehensively rotate all their login credentials if they suspect any data is missing,” Seo said.
