Databases stores, cloud storage and services at risk from exposed access keys finds new research
September 2020 by Digital Shadows
Digital Shadows has revealed new research looking at the growing problem of company access keys inadvertently exposed during software development. Access keys, and their corresponding secrets, are used by developers to authenticate into other systems. While these should be kept private, poor security practices mean they are frequently made ‘public’ and are a gift to threat actors which routinely scour such sites for easy access to company systems.
Over a 30-day period Digital Shadows scanned more than 150 million entities from GitHub, GitLab, and Pastebin. During this time, its technology assessed and categorized almost 800,000 access keys and secrets. Digital Shadows discovered more than 40% of these were for database stores, with 38% for cloud providers such as Google, Microsoft Azure and Amazon Web Services. Some 11% were for online services including collaboration platforms such as Slack and payment systems including Stripe.
The impact of exposed database keys is particularly profound - these types of credentials could allow unauthorized access to company data, including personally identifiable information (PII) with the permission to expose, destroy or manipulate company data. Credentials for Redis (37.2%), MySQL (23.8%), and MongoDB (19.3%) were the most common.
The research also found that keys are commonly exposed for cloud providers. Google Cloud was found to have the most exposed keys with 56.5% of the total. Microsoft Azure access keys and SAS tokens make up 22.7% and 12.4% respectively. Interestingly despite Amazon Web Services being the market leader, exposed keys for these services only made up 8.3% of the total.
Again, successful authentication into these environments could be hugely damaging and allow access to the associated cloud infrastructure, with permission to expose, destroy and/or manipulate sensitive data. The data accessible depends on the services used and could include company and internal systems information.
The research also discovered thousands of tokens and keys for popular online services, including Slack tokens. In the wrong hands these keys could be used to post messages directly into a channel within the organization, give access to sensitive information on channels and conversations and access a user’s Slack workspace, e.g. the channels, conversations, users, and reactions.
Significant damage could also result from other exposed keys such as Stripe API keys (6.4% of the total) which could infiltrate payment systems. Mailgun secret keys (4.4% of the total) could allow use of the API to send, receive and track emails – which would be highly useful to attackers looking for access to enable phishing campaigns.
Russell Bentley at Digital Shadows comments: “As software development has become increasingly distributed between in house and outsourced teams it has become challenging to monitor the exposure of sensitive information. Every day, technical information like keys and secrets are exposed online to code collaboration platforms. Normally this is accidental, but we have seen evidence that threat actors are scouring public repositories and looking to use it in order to access sensitive data and infiltrate organizations. Most of the services we have identified are secure by design but as ever, humans are the weak link in the chain and frequently make information public when it should be private.”
Digital Shadows recommends the following action to help mitigate some of these issues:
Trufflehog can be used to search through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
GitRob can help find potentially sensitive files pushed to public repositories on Github.
GitHub secret scanning provides monitoring for many of the key types outlined in this blog. Although this doesn’t extend to many of the database stores (Redis, Oracle, MySQL, IBM DB2, and PostgreSQL).
Google has provided specific advice for it’s Google Cloud Platform here.