Thu, Dec 26, 2019
Cyber threat actors are actively scanning for and finding exposed usernames, passwords and other online credentials in code repositories. Kroll identified two such incidents via its initial intake process for cyber forensics investigations in October 2019. In both cases, cyber threat actors obtained Amazon Web Services (AWS) login credentials and gained unauthorized access to corporate files. Attackers are increasingly scanning public code repositories to find exposed credentials, exploiting these platforms to gain access to a variety of enterprise services and vendors (see “In the News” section).
Software developers use cloud-based code repositories like GitHub, Bitbucket and Gitlab to share, edit and update code language with their colleagues. Cyber threat actors are well aware that developers may leave sensitive security access keys within their shared source code repositories. One of the most sought-after keys lies in git-config text files, which can allow access to all the settings or options for a Git repository, including credentials.
Once threat actors find an exposed git-config file, they can simply copy and clone the accidentally compromised source code. They can then use the exposed credentials to access sensitive data stored in cloud services or credit card processing accounts, which can be a treasure trove of sensitive data, such as personally identifiable information (PII), user IP addresses and financial details. Criminals may also gain full control over the entire code repository, and some malicious actors have even wiped public and private repositories and demanded ransoms to restore data. Hackers have also reportedly capitalized on source code that was inadvertently uploaded to a repository to extort a large conglomerate by threatening to sell their sensitive information on the dark web.
Researchers from North Carolina State University conducted the first large-scale and longitudinal analysis of secret leakage in repositories, examining billions of files over six months and focusing on private keys and some of the highest-impact credential types. Their study uncovered leaks in over 100,000 repositories and identified “thousands of new, unique secrets leaked every day.” The most commonly exposed file types were related to access keys and certificates (categorized as “crypto” in the table below), and source code files.
It’s important to note the most popular cloud-based code repositories are aware of the issue and have strong security features available to minimize exposure risks. These platforms are growing communities of “security advisors” and implementing more visible processes for reporting vulnerabilities, but developers must be security-aware. Training sessions customized for software developers have shown great results, and so has instituting a repository security checklist, such as the one created by author and security researcher Kristov Atlas.
In September 2019, the actor memory_lost posted an auction listing on the Russian language forum Exploit referencing 2.2GB of a large e-commerce company’s source code obtained from an exposed code repository. It appears the repository was subsequently taken down by an unknown user, but the auction indicates memory_lost had already downloaded the code repository before it was taken down.
Strengthening the security mindset of your developers is fundamental to minimize the exposure risk posed by code repositories, but we asked Ray Manna and Justin Price, senior directors in Kroll’s Cyber Risk practice, for additional recommendations to help prevent the compromise of sensitive data and access keys in code repositories:
A fundamental strategy for mitigating risks associated with cloud-based code repositories is to create and enforce pragmatic policies and controls that guide your internal staff and third-party developers in prioritizing security in development projects. Kroll also offers proactive security configuration hardening for Microsoft Office 365 (O365) and other cloud-based services susceptible to repository-based attacks as well as vulnerability assessment services that include source code review and analysis.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.