Inside the Cisco Breach — NHI Compromise and What It Means for DevOps Security

Read full article here: https://www.oasis.security/blog/cisco-breach-non-human-identities-nhi-compromise-and-implications-for-devops-security/?utm_source=nhimg

In a recent cybersecurity incident, Cisco confirmed unauthorized access and data theft involving “Cisco data and data of our customers.” The company later revealed that some internal files—never meant for public access—were inadvertently exposed and downloaded from a public-facing environment.

The breach was later claimed by a threat actor known as IntelBroker, who attempted to sell the stolen data on BreachForums. The listing referenced hard-coded credentials, API tokens, certificates, and private keys—all pointing toward the exposure of Non-Human Identities (NHIs) used in Cisco’s DevOps pipelines.

Cisco explained that the incident originated from its public DevHub, a developer environment hosting container images and microservices for building IoX applications on Cisco devices. While the DevHub was meant to aid third-party developers, it unintentionally contained sensitive credentials and secrets that opened a door for attackers.

This kind of exposure is especially dangerous in modern DevOps ecosystems. Attackers who obtain NHI credentials can move laterally across CI/CD environments, escalate privileges, and infiltrate internal systems—all without exploiting traditional software vulnerabilities.

The Flaw: Publicly Exposed NHI Secrets

The exposed DevHub contained environment variables and configuration files that embedded long-lived credentials and API keys. Such files are often overlooked in cloud-native environments, yet they hold the keys to high-privilege access.

Once the attacker gained access, these credentials could have enabled further reconnaissance or privilege escalation within Cisco’s development infrastructure. In short, the breach was not about a software exploit—it was about trust mismanagement.

This mirrors a broader industry pattern. Palo Alto Networks’ Unit 42 recently reported a cloud extortion campaign where attackers exploited AWS configuration files containing exposed keys and tokens. Those credentials lacked least-privilege controls, making them ideal for abuse. The lesson is clear: attackers don’t always need to “hack” their way in; they often just find what’s already exposed.

Best Practices to Minimize NHI Exposure

To avoid similar breaches, organizations need to treat NHI security as a first-class discipline within DevOps and cloud security. A few critical actions include:

1. Discover Exposed Secrets: Continuously scan repositories, cloud storage, and configuration files for sensitive information such as API keys or certificates.
2. Contextualize Secrets with Identity Mapping: Link each secret to its corresponding workload, application, or owner to understand impact and remediation scope.
3. Monitor Privileged Identity Creation: Track new or modified machine accounts and tokens to detect unauthorized privilege escalation.
4. Automate Safe Rotation: Once a secret is found to be exposed, rotate it immediately while preserving operational continuity.
5. Apply Preventative Controls: Use guardrails, such as policy-based enforcement and automated validation, to prevent misconfiguration before deployment.

These steps, when applied consistently, can significantly reduce the attack surface of DevOps and cloud ecosystems.

How Oasis NHI Security Cloud Can Help

Oasis NHI Security Cloud provides a unified solution for managing and securing NHIs across hybrid environments. It offers:

• Continuous discovery and classification of NHIs across DevOps, cloud, and on-prem environments
• Automated risk scoring to prioritize critical exposures
• Rapid secret rotation and remediation through integrated workflows
• Policy-based lifecycle management ensuring every machine identity has defined ownership, purpose, and expiry
• Compliance-ready audit trails aligned with modern identity standards

By leveraging Oasis, organizations can establish visibility, control, and governance over all machine and service identities. In doing so, they not only prevent breaches like Cisco’s but also strengthen their overall DevOps resilience.

Key Takeaway

The Cisco incident reinforces a growing truth in cybersecurity: the next frontier of breaches isn’t human—it’s non-human. Machine and application identities now outnumber humans by thousands to one, and each exposed credential or token is a potential entry point. Organizations that fail to govern their NHIs effectively risk turning their own DevOps pipelines into attack vectors.