Session Name: Exploiting Exposed Credentials in 2022 - How Adversaries Discover and Exploit Leaked Secrets
The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which scanned all public activity on GitHub throughout 2021 uncovering over 6 million secrets leaked inside public git repositories and public docker images. This paper looks at how adversaries are leveraging this weakness to exploit organizations and gain access to private systems. To achieve this objective we examine why secrets are so frequent in public spaces despite being a highly valuable asset, how these secrets are leaked and the types of secrets frequently found in both public git repositories and public Docker images. Building on this we break down three recent successful attacks, all of which used different methods to extract publicly exposed secrets that granted initial access to the attackers. These are CodeCov2021, which exposed secrets via a public docker image, SolarWinds 2020, which exposed a secret in a public git repository belonging to an employee, and the United Nations breach in 2020 which exposed secrets through misconfigured git repositories. Examining each methodology of these attacks we review exactly how we can replicate each to exploit other specific targets. Finally, we break down the different methods and tools that can be used to extract secrets from source code, reviewing the pros and cons of each.
Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learned first-hand how critical it is to build secure applications with robust developer operations.
Today as the Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.