You have one minute to save your leaked AWS credentials
New research suggests that cyber-thieves can discover and use leaked credentials in a matter of seconds.
If you dropped your keys on the ground, how long would it take a thief to spot them and break into your house? A day? A month? A year? Would a thief ever even notice them?
It’s different online. Online, it’s as little as 60 seconds, according to new research by security consultants Cybenari, whose findings suggest that cyber-thieves can discover and use leaked credentials with astonishing speed.
Despite their media image, most criminal hackers are not looking to challenge themselves or pit their skills against a difficult adversary. For the most part, cybercriminals are about the easy life, and when it comes to breaking into an organization’s computers, the easiest life of all is logging in with a password or access key that’s been left lying around on the internet.
Credentials for all kinds of systems get leaked in all kinds of different ways online, but the canonical example of modern credential leakage is accidentally including an Amazon Web Services (AWS) API credential in some code committed to a public code repository on GitHub.
It’s so common for programmers to accidentally include credentials in their code like this that GitHub even has a feature to detect it, called secret scanning.
And it’s so common that thieves appear to have set up tools to scan GitHub continuously, looking for leaked credentials. This enables them to find and use leaked credentials on GitHub in as little as a matter of minutes.
According to Cybenari, an access token leaked to GitHub was found and used within 127 seconds.
Other places where criminals expect to find code fared even worse. Similar scanning of the Pypi Python code repository saw a credential used within 119 seconds, and a credential left on the npm Registry was used within 60 seconds of it being leaked.
In all likelihood, all three attacks happened far quicker than it would take most developers to realise their error, let alone correct it by revoking the credentials.
These discoveries were the result of research that set out to identify the worst places to leave leaked credentials on the internet by using “canary tokens,” credentials that act like a tripwire by triggering an alert when somebody tries to use them.
The credentials were left in a selection of publicly accessible places a thief might look for code, including code repositories, web servers, FTP servers, JSFiddle, Pastebin, the Python and NPM package repositories, and cloud storage buckets like S3.
The list of fastest access times shows that credentials can be found anywhere, but the speed with which they were located on the npm Registry, Pypi, GitHub, and Pastebin suggests continuous, aggressive scanning by criminals. Needless to say, they would only bother to do that if they were making money from it.
Location | Fastest access time |
---|---|
npm Registry | Under 60 seconds |
Pypi | 119 seconds |
GitHub | 127 seconds |
Pastebin | 50 minutes |
Web server | 47 hours |
DockerHub | 6.9 days |
The alarming results suggest there are highly active, automated systems working to discover leaked credentials, and that they can do so with astonishing speed. Credentials can be compromised so quickly that any leak at all, no matter how brief, should be treated as a compromise of the credential involved.
Per Cybenari:
This means that if you have discovered that your organization’s secret has leaked somehow to one of these services, you should Immediately roll the key and conduct a forensic investigation into any malicious usage of the key.
The findings serve as a useful reminder that for all the attention paid to software vulnerabilities and malware, there are often easier ways for criminals to get to your privileged data.
To combat the threat of leaked credentials:
- Limit access to sensitive tokens, and keep access rights to a bare minimum.
- Use different tokens across development, test, production, and other environments.
- Use services like secret scanning and canary tokens to detect leaks.
- Store and transfers tokens using strong encryption.
- Rotate tokens regularly.