Five Real-World Attack Chains Involving NHIs: Lessons from SecDays France
In this post, we break down five real-world attack chains involving Non-Human Identities, as presented by Julien Szlamowicz-Czubak from Fenrisk and Pierre Le Clézio from GitGuardian at SecDays France. We’ll share critical lessons for every organization looking to secure its machine identities from their talk “The Explosion of Machine Identities: Are You Aware of This Silent Threat?”
1. The Vault Heist: When One Key Opens Every Door
"We thought our vault was secure. We were wrong."
Picture this: An attacker breaches a single application—nothing sophisticated, just a standard web vulnerability. But this application holds a secret that changes everything: an API key to the organization's secret’s manager.
The developers who created this key took the path of least resistance. Instead of carefully scoping permissions and partitioning the vault, they granted the application access to the entire vault. "It's just easier," they reasoned. "What could go wrong?"
Everything.
Within minutes, the attacker had extracted:
- Domain administrator credentials
- Network device passwords
- Cloud provider keys for AWS and Azure
- Service account tokens for critical infrastructure
What happened: A single over-privileged machine identity became the master key to the digital kingdom. One compromised app led to complete infrastructure takeover.
The lesson: Your vault is only as secure as your least privileged secret. If you can't answer "who can access what secrets?" with confidence, you're already compromised—you just don't know it yet.
2. The Developer's Nightmare: From Code Commit to Complete Control
"It was just a GitLab token. How did they get admin access?"
It started innocently enough: a developer's application needed to interact with GitLab repositories. The app was compromised, and the attacker found a GitLab Personal Access Token (PAT) in the environment variables.
But this wasn't just any token—it was a gateway to a treasure trove.
The attacker methodically:
- Listed all accessible GitLab projects
- Extracted CI/CD pipeline environment variables
- Discovered additional secrets buried in deployment configurations
- Chained these credentials to access increasingly sensitive resources
- Escalated privileges until they achieved GitLab administrative access
The cascade effect: What began as one application compromise became total control over source code, deployment pipelines, and production secrets. The attacker could now inject malicious code, manipulate builds, or steal intellectual property at will.
The lesson: Secrets in CI/CD environments aren't just development conveniences—they're highways to your crown jewels. Every environment variable is a potential pivot point.
3. The Newsletter Account That Opened the Door
"Who would target a newsletter service?"
Some of the most revealing red team successes at Fenrisk began with assets no one considered sensitive. In one such engagement, they compromised a company’s public-facing website and gained access to its underlying server. There, they discovered credentials for the newsletter account used to send company-wide communications.
Using these credentials, they logged into the company’s webmail. While exploring further, they identified a previously unknown (0day) vulnerability in the webmail system, which enabled us to fully compromise the mail server.
The real jackpot came when they examined the mailbox of an automated bot account responsible for distributing VPN certificates to employees. In the “Sent” folder, they found certificates for every user in the company. Ironically, although the bot’s emails told recipients to delete the message after saving their certificate, the bot itself kept a copy of every sent item.
The perfect storm:
- Newsletter account credentials led to webmail access
- A 0day in webmail allowed us to take over the mail server
- The bot’s “Sent” folder contained VPN certificates for all employees
- The Fenrisk team gained valid VPN credentials for the entire organization
The lesson:
Machine and service accounts tend to accumulate critical secrets over time, even when their main function seems harmless. Red team exercises like this highlight the importance of regularly auditing what your bots and automated systems can access—and what sensitive information might be quietly piling up in their mailboxes.
4. The Vendor's Gift That Kept on Giving
"We can't revoke it—too many systems depend on it."
A third-party contractor made a simple mistake: they pushed a script to GitHub with a hardcoded API key. The key seemed innocuous—just access to a network appliance for monitoring purposes.
But this wasn't just any device. The leaked key provided access to a critical network chokepoint, allowing the attacker to:
- Monitor all outbound traffic
- Inject malicious content into legitimate communications
- Maintain persistent, nearly invisible access
The impossible choice: When the organization discovered the breach, they faced a nightmare scenario. The leaked credential was used by multiple critical applications and several vendor integrations. Revoking it would cause widespread outages. Keeping it meant accepting a permanent backdoor.
Eight months later, the leaked key was still in use.
The lesson: Your security perimeter extends to every vendor, every contractor, every integration. One partner's mistake can become your permanent compromise. Demand credential hygiene from everyone who touches your infrastructure.
The Wake-Up Call: Why This Matters Now
These aren't theoretical attacks—they're happening every day. As Julien and Pierre demonstrated at SecDays France, the explosion of machine identities has created an attack surface that most organizations can't even see, let alone defend.“Attackers aren’t breaking in, they’re logging in.”
The uncomfortable truth: While you've been perfecting user authentication with SSO and MFA, your machines have been proliferating secrets. Every microservice deployment, every automation script, every CI/CD pipeline creates new attack vectors.