Cloud API Keys For Sale
Scary to see that a threat actor is selling API keys for AWS, Azure, MongoDB & Github, Dockerhub, GCP etc, starting from $100.
"If you can think of API Key, we have it. All working. Will will get new keys everyday. Have tons of working AWS, GCP, Azure, Alibaba keys. You can compromise whole companies with keys with high permissions. Whole cloud infra is in your access". We have Openai, Notion, Dockerhub, SQL, Mongodb, Telegrambot and around 200 different services APIs. All fresh and working. Message me here to buy anything. Starting from $100. Minimum purchase $100"
Compromising Non-Human Identities (Service/Technical Accounts, API Keys, Tokens, Certificates, Secrets) is the primary route for threat actors to compromise systems and data, in particular with the Secrets Sprawl challenge the industry is struggling to deal with, especially with the explosion of Cloud based integrations with 3rd parties.
Organisations need to double-down their focus on these highly privileged accounts, including both their On-Prem estate as well as the expanding and uncontrolled cloud based integrations. Organisations typically have 1000s of these accounts, in most cases unmanaged from an identity lifecycle and risk management standpoint.
Recent breaches of major Cloud providers, means an organisation is no longer exposed to just internal credential risks, all their 3rd party cloud based integrations, also leave them very exposed.
What should you do :
Cycle your Non-Human Identities - if there's one thing you need to do immediately is to cycle all your Non-Human Identities, given they could already be exposed to both external and internal threat actors. This however is very challenging to do in practice, given the risk of operational impact, due to unknown dependencies.
Establish a Risk Program specifically focussed on Non-Human Identities, to understand how many your organisation has, how well they are managed/controlled/secured, drive hygiene activities for inactive accounts, cycle the accounts regularly, establish monitoring control capabilities to identify inappropriate use.
Further details on how to deal with NHIs can be found in my white-paper on Managing Non-Human Identity Risks
Read the full article from Cyber Security News ® where this was first reported.

