Security Guidance
5 minutes

Abusing HR Self-Service for Crime and Profit

Identifying an Active Exploit

As a leading provider of threat and posture management for SaaS, Obsidian Security protects companies from account compromise, insider threats, misconfigurations, and over-privileged users. We regularly aggregate information from our platform for the benefit of our customers.

Over the last few months, Obsidian has seen an increase in the number of attacks against Workday, and given the tactics employed, it’s likely being used against other human capital management (HCM) systems as well. These are not the types of attacks that make the Wall Street Journal or garner significant amounts of attention, but rather unsophisticated, low-effort attacks built for maximum return and reproducibility on minimum effort. These are highly successful and rely upon the unique interplay of access, security, and risk in HR tools.

Understanding the motivations of the attackers and their targets allows companies to build proactive HCM security strategies, layered defenses, and comprehensive response plans.

Benefits of HCM Self-Service

The rise of SaaS HCM systems has made it easy for companies and employees alike to access and manage HR data. These systems are entrusted with personal identifiable information (PII), which can be instantly and easily modified. There are no more forms for leave or address changes, letters with tax documents, or errors in company benefits; all these can be reviewed and updated as required by your employees. Unfortunately, as is the case with most systems containing sensitive data, there are those who look to leverage these modern conveniences to exploit and steal.

Abuse of HCM Platforms

Security teams defend in layers out of necessity. They understand where the most significant amount of confidential and sensitive information is stored, who has the most access to that information, and then protect from there outwards. This methodology allows for risk reduction and optimal allocation of scarce resources to ensure employees and customers are protected. 

The above HCM self-service model provides a unique challenge — a single employee only has access to their data. For all intents and purposes, any breach is therefore low-risk and low-impact. However, a financially motivated attacker can take advantage of vulnerabilities in this system:

  • Individual accounts are low risk and not closely monitored. After all, they have limited data, only a single person.
  • HR self-service actions by employees are infrequent. As such, detections are more complex and require nuance as patterns and behaviors are stochastic.
  • In any large organization, while changes by individual employees are infrequent, the collective action of changing bank accounts, updating addresses, and adding dependents is common. This means individual changes are hard to track and are expected.

Attackers are always looking for easy, low-hanging opportunities to maximize the return on their effort. While it’s the large-scale stories of sophisticated attackers breaching major enterprises to exfiltrate sensitive data or intellectual property that make the headlines, there are countless smaller cases in cybersecurity of petty theft. As it turns out, many of these are cases of HCM account compromise.

If attackers are able to gain access to several employees’ Workday accounts, they can divert payroll, access tax documentation, and view a wealth of other sensitive personal details. Not every compromise must necessarily involve major account changes or the compromise of a highly privileged system administrator. Attackers simply need credential access, infrastructure, and discipline to assemble a highly profitable, low-risk enterprise.

The Payoff for Attackers

In these HCM account compromise campaigns, Obsidian is primarily seeing phishing attacks against employees to steal their session tokens or credentials. Once the attacker gains access, they often undertake multiple financially motivated attacks:

  • Change bank details and divert paychecks to accounts they control.
  • Steal a W2 in order to file fraudulent tax returns.
  • Plain and simple identity theft and sale of PII.

These individual actions may not amount to much, but their efforts add up quickly in aggregate. If attackers can divert 10 accounts per pay period averaging $2,500, they can steal $25,000 every two weeks and $600,000 annually. This attack is incredibly easy to reuse and not typically discovered until after the money has been deposited.

Many security teams are blind when it comes to protecting HCM systems, as they often don’t have insight into or control over due privacy concerns over the sensitive employee data contained within. Administration is left to the finance or HR business unit. Security teams that aren’t given seats are forced to request any information they need, and even with access, HCM interfaces are designed around the productivity needs of business users and administrators. This fundamental disconnect leaves you susceptible to breach, opening your employees and company to substantial loss.

Steps to Protect HCM Platforms

With a clear understanding of the tactics and motivations of attackers, your security team can take a number of steps toward enhanced HCM security.

  • Continuously analyze user behavior and client details against a baseline to detect malicious activity consistent with account compromise
  • Monitor third-party integrations into HCM platforms, as attackers can move laterally through compromised connected applications.
  • Optimize application configurations while detailing how changes will impact your users. Monitor these controls to ensure they don’t drift from your preferred settings.
  • Reduce instances of over-privilege within HCM platforms in order to reduce the blast radius of a potential breach.

As a comprehensive security and compliance offering for Workday and other business-critical SaaS applications, Obsidian makes it easy to achieve these measures and protect your sensitive data. We’re able to detect account compromise in its earliest stages using a combination of static rules and machine learning models. Our deep understanding of Workday can also help close gaps in your perimeter that attackers leverage to gain access.

To learn about best practices for protecting Workday, visit our blog The Five Challenges of Workday Security.