### #AWSKeyManagement #AccessKeyExploitation #DevSecOps
Summary: A recent study by Clutch Security highlights the alarming speed at which attackers exploit exposed AWS access keys across various platforms, emphasizing the need for improved security measures and automated revocation systems. The findings reveal that many organizations fail to act quickly enough to mitigate the risks associated with leaked credentials.
Threat Actor: Automated Attackers | Automated Attackers
Victim: Organizations using AWS | Organizations using AWS
Key Point :
- Attackers can exploit AWS access keys within minutes of exposure on platforms like GitHub and DockerHub.
- Keys leaked on other platforms, such as PyPI and Pastebin, are typically exploited within hours to days.
- Current AWS security measures, like automatic quarantine, are insufficient to prevent misuse of exposed keys.
- Clutch Security has developed AWSKeyLockdown, an open-source tool for immediate revocation of compromised keys.
- Long-term solutions should focus on Zero Trust principles and automated detection to minimize attack surfaces.
It’s no secret that developers often inadvertently expose AWS access keys online and we know that these keys are being scraped and misused by attackers before organizations get a chance to revoke them.
Clutch Security researchers performed a test to see just how quickly that can happen.
They dispersed AWS access keys (in different scenarios) on:
- Code hosting and version control platforms: GitHub and GitLab
- Public code repositories: Docker Hub (for containers), npm (for JavaScript packages), PyPI (for software written in Python), Crates.io (for Rust crates)
- Repositories for hosting and testing code snippets: JSFiddle, Pastebin, and public and private GitHub Gists
- Developer forums: Stack Overflow, Quora, Postman Community, and Reddit
The results of this test revealed that attackers tend to find and exploit (within a few minutes) AWS access keys leaked on GitHub and DockerHub, and within several hours those exposed on PyPI, Pastebin, and the Postman Community.
AWS secrets published on GitLab, Crates.io, public GitHub Gists, JSFiddle, Stack Overflow, Reddit and Quora were exploited in 1 to 5 days. Only the keys revealed on npm and Private GitHub Gists remained unused.
How to automatically revoke exposed AWS keys
The attackers are often fast enough to beat the alerts about exposed keys sent by AWS (if the customer uses AWS’s Security Hub and the Trusted Advisor service), the researchers discovered.
And while AWS puts the exposed keys in automatic “quarantine”, that’s not enough to prevent all misuse: it just limits the attackers’ ability to create some AWS resources.
The AWS access keys leaked by the researchers allowed attackers to log in to the company’s sandboxed cloud environments, engage in reconnaissance, escalate privileges and perform lateral movement, and even try to leverage the company’s infrastructure for resource-intensive operations.
“This isn’t opportunism; it’s automation and intent. The actions we observed paint a picture of methodical, highly organized operations,” the company said in its report.
As Clutch researchers see it, the current problem with leaked AWS keys is that the revocation of these keys is left to the customers, most of which fail to act quickly.
“The reality is clear: the window between exposure and rotation leaves sufficient time for attackers to cause significant damage,” they noted.
So, they’ve created AWSKeyLockdown, an open source security automation tool that immediately disables access keys AWS flagged as compromised.
But they believe that, in the long run, enterprises must rethink their defenses and move away from traditional secret rotation, which “solves nothing”.
Instead, they should embrace Zero Trust and ephemeral identities to shrink the attack surface and limit damage, be on the lookout for potential leaks, and implement automated detection and revocation systems.
Source: https://www.helpnetsecurity.com/2024/12/02/revoke-exposed-aws-keys
Views: 1