Secrets (programmatic credentials such as access tokens, API keys, or private encryption keys) play a pivotal role in securing access to equipment, data, services, and APIs. However, the expanding proliferation of secrets creates significant challenges when it comes to keeping them safe and secure. As mentioned in a recent article, compromised credentials are becoming the preferred vector of hackers to get a toehold in a victim’s systems, as it takes less effort than most other methods. In this blog post, we'll explore three recent real-world examples of how secrets can escape that demonstrate the crucial role of robust secret detection solutions in mitigating these risks.
EXAMPLE 1: Secrets in the logs - Microsoft signing key stolen by threat actor Storm-0558
Threat actor Storm-0558 is credited with an attack campaign that has been targeting Exchange Online and Azure Active Directory (AD). Recently, information about how the Microsoft signing key used by the threat actor to forge tokens was leaked. Microsoft’s investigation led to artifacts from the crash of a consumer signing system in April 2021. During this incident, a snapshot of the crashed process was created. Normally, these crash dumps are designed to redact sensitive information, but a race condition allowed a critical secret, the signing key, to be present in the crash dump.
The presence of this sensitive material went unnoticed by Microsoft’s detection systems. The crash dump, initially believed to be free of secrets, was transferred to a debugging environment on the internet-connected corporate network, following their standard debugging process.
After a while, Storm-0558 managed to compromise the corporate account of a Microsoft engineer who had access to the environment and gained access to the crash dump containing the signing key. The end of the story is already well-known, with the threat actors using this key to sign tokens that granted them access to mail servers.
Other vulnerabilities were involved during this attack and all of them have been mitigated by Microsoft but this incident serves as a stark reminder of the challenges organizations face in detecting and protecting against secret exposures.
See our blog post “Protect your keys, lessons from the Azure key breach” for more on this attack.
EXAMPLE 2: Hard-Coded Credentials: A Silent Threat - From VMWare software to Fujitsu firmware
VMware recently faced a security challenge for their Aria Operations for Networks software. After a significant security update to address a “Network Bypass” vulnerability, VMWare discovered that the exploit code had been published online. The culprit, it turned out, was hardcoded SSH keys. A PoC released by vulnerability researcher @SinSinology showed that the private access keys were predefined for each version of the product instead of being dynamically generated. It didn’t take long to extract each key from each version and share them publicly. These kinds of secrets should never be set in stone but dynamically generated at the time of installation.
Days later Fujitsu’s IP series devices became the stars of their own security horror movie. Firmware released before July 26, 2023, was discovered to contain hard-coded backdoor credentials that could not be changed by end-users. Unalterable passwords should never be implemented in products, especially ones exposed to a network. In this case, the credentials granted administrative access to the devices, creating a vulnerability that could be exploited by attackers to gain persistent access.
The presence of hard-coded credentials in these two products shows how secrets can remain buried within systems, hidden from end-users and presenting significant cybersecurity issues.
EXAMPLE 3: Leaked Tokens: Sourcegraph admin token turns a hacker into a super user
Very recently, Sourcegraph, an AI-powered source code search engine, announced they had suffered a data breach. An access token was inadvertently published in a code commit to their public instance despite having automated code analysis tools in place. The leaked token had broad privileges, allowing the attackers to create a new account, elevate its privileges, and gain access to the admin dashboard. The malicious user then created a proxy to allow free access to Sourcegraph’s API and publicized it.
This last example shows the ever-present risk of secrets being exposed due to human error or unforeseen circumstances. Even with robust security measures in place, a single mistake can lead to a significant security breach. It emphasizes the need for comprehensive secret detection solutions that can identify and mitigate these threats proactively.
Protecting Secrets with GitGuardian
As the digital landscape evolves, the variety and sheer vastness of the secrets landscape poses a constant challenge. To combat this threat effectively, organizations need reliable secret detection products like those offered by GitGuardian.
These tools are designed to tirelessly scan code repositories, databases, and environments for signs of sensitive information, alerting organizations to potential risks before they can be exploited.
GitGuardian's secret detection solutions are a crucial ally in the fight against hidden threats lurking in your systems. They provide real-time monitoring, alerts, and remediation options, helping organizations safeguard their secrets, maintain regulatory compliance, and protect their reputation.
In a world where so many secrets exist in so many places, the responsibility of safeguarding them has never been more critical. The incidents outlined above underscore the need for robust secret detection solutions to identify and mitigate security risks effectively. With GitGuardian's state-of-the-art products, organizations can proactively protect their secrets, ensuring a safer digital environment for all. Don't wait for your feet to get wet to learn there’s a hole in your boat—take proactive steps to secure your secrets with GitGuardian today.