Introduction
This session emphasizes the ease of breach through simple methods like credential theft. Michael Silva, with 20 years of experience in offensive and defensive security, aims to showcase real-world attack techniques and the importance of understanding vulnerabilities.
Overview of Attack Methodology
The attack simulation follows a typical cyberattack lifecycle steal, conceal, and persist. The attacker’s goal is to extract valuable data, hide their activities, and establish backdoors for future access.
- Steal – Obtain credentials and source code.
- Conceal – Hide traces of activity to avoid detection.
- Persist – Create backdoors to maintain ongoing access.
Initial Access via Public Repositories
Michael begins by searching GitHub repositories for leaked credentials. This involves:
- Cloning repositories identified with leaked secrets.
- Using open-source tools like git leaks to scan for secrets such as AWS keys and webhooks.
- Identifying secrets in different branches, not just the main branch, highlighting the importance of scanning all branches.
Analyzing Found Secrets
After scanning the GitHub repository, Michael found some secrets, such as:
- AWS access keys (denoted by AKIA prefixes).
- Secrets stored in specific commit histories, even if not present in the current branch.
He verified whether these credentials are active by configuring AWS CLI profiles and using STS caller identity to confirm their validity and permissions.
Gaining Cloud Access
With valid AWS credentials, Michael explored the scope of access:
- Identified the user or service account associated with the credentials.
- Discovered permissions, such as access to S3 buckets, RDS, and other cloud resources.
- Found sensitive data stored in S3 buckets, including customer information and internal JSON files.
He also found a GitHub personal access token (PAT), which he tested for further access to private repositories.
Exploiting GitHub Repositories
Michael listed all repositories, and examined their contents for source code and secrets. He Found:
- Source code with embedded secrets or sensitive information.
- Potential for downloading entire repositories for further analysis or exploitation.
This step demonstrates how internal code leaks can lead to significant breaches, especially when secrets are hardcoded or not properly secured.
Data Exfiltration and Concealment
Using the access to cloud resources, Michael simulated data exfiltration by:
- Listing S3 buckets containing sensitive data like customer payments and internal agreements.
- Accessing JSON files with customer connection details, revealing cross-cloud integrations .
- Using GCP credentials to access projects and services, escalating the attack to a supply chain level.
Michael emphasized the danger of cloud misconfigurations, such as overly permissive roles like “Editor” in Google Cloud, which can lead to full control over cloud environments.
Pivoting to Customer Environments
Michael demonstrated how internal credentials can be used to access customer environments, turning a breach into a supply chain attack. He:
- Identified GCP service account credentials with owner-level permissions.
- Accessed multiple customer projects.
- Highlighted the risk of attackers embedding malicious service accounts or keys within customer environments.
Lessons Learned
The demonstration underscores several critical security lessons:
- Leaking credentials in public repositories is a common and dangerous mistake.
- Scanning all branches and commits is essential for comprehensive security assessments.
- Active credentials can be exploited to access cloud resources, source code, and sensitive data.
- Internal code and secrets often get exposed unintentionally, emphasizing the need for strict access controls and secret management.
- Cloud permissions should be tightly controlled; overly permissive roles can lead to full compromise.
- Supply chain attacks can escalate from initial breaches, affecting multiple organizations and customers.
Closing Remarks
The session concludes with a warning about the ease of compromise through simple credential leaks and misconfigurations. It advocates for proactive security measures, including secret scanning, role-based access controls, and continuous monitoring to prevent such breaches.