The Ultimate Guide to Non-Human Identities Report

SAP Breach

NHI Mgmt Group

Overview

In a digital world driven by cloud infrastructure, no one is immune to mistakes even the most established organizations. In November 2023, SAP, a global software giant, made headlines after researchers discovered that over 95 million artifacts including sensitive Kubernetes secrets were exposed through public GitHub repositories and misconfigured systems. This incident explains the critical risks associated with poor secret management practices in cloud and containerized environments.

Understanding the Incident

What Are Kubernetes Secrets?

Kubernetes secrets are a type of configuration object that is utilized to store sensitive information, such as API tokens, usernames, passwords, and certificates, within containerized environments. However, although these secrets are crucial in managing secure access within most Kubernetes deployments, they often go unencrypted in the API server's datastores. Poor control or incorrect exposure of these secrets, including committing them to public repositories, has opened up large avenues for security vulnerability.

The Breach Details

Key Findings

Researchers found over 95 million artifacts in the SAP artifact repository that could have been accessed using exposed credentials from Kubernetes. These were credentials that had inadvertently been uploaded to public GitHub repositories allowing access to sensitive resources.

Scope of The Breach

The breach wasn't limited to SAP. It involved many Fortune 500 companies, top-tier blockchain organizations, and open-source projects. Docker Hub credentials and Azure registries were found, but many of them came with pulling and pushing privileges, this means attackers can manipulate container images.

How Did This Happen?

Kubernetes Secrets Mismanagement

The breach resulted from Kubernetes secrets inadvertently committed to public repositories. Kubernetes secrets are objects used to store sensitive data like:

  • API tokens

  • Passwords

  • Registry keys

These secrets, often base64-encoded, were mistakenly included in configuration files (dockerconfigjson and dockercfg) and uploaded to GitHub repositories. While encoded, the secrets were easily decoded to reveal plaintext credentials, exposing sensitive resources.

Human and Systemic Failures

The exposure stemmed from a combination of factors:

  1. Human Error: Developers overlooked the inclusion of secrets in code commits.

  2. Weak Automation Checks: Scanning tools failed to flag base64-encoded secrets, highlighting a gap in existing security solutions.

  3. Lack of Encryption: Kubernetes secrets were stored unencrypted in API server datastores, increasing their vulnerability​.

Potential Impacts

Supply Chain Attacks

Exposed credentials can enable attackers to compromise software supply chains. By manipulating container images or injecting malicious code into artifacts, attackers can propagate malware through trusted sources to downstream users.

Operational Damage

Credentials providing both pull and push privileges allowed attackers to alter registry contents. This could result in service disruptions, unauthorized deployments, or data breaches across dependent systems.

Reputational Damage

High-profile organizations like SAP face long-term reputational harm due to such exposures, especially when tied to core operational tools like Kubernetes.

Recommendations

  • Encrypt Kubernetes Secrets: Use Kubernetes Encryption Configuration to ensure secrets are encrypted at rest.

  • Use Secret Management Tools: The Secrets Management Tools can securely store and rotate credentials.

  • Conduct Routine Audits: Regularly scan public and private repositories for misconfigured or exposed credentials.

  • Limit Access Privileges: Apply the principle of least privilege to reduce potential misuse of credentials.

Conclusion

The exposure of over 95 million artifacts in SAP’s repository illustrates the dangers of mishandling Kubernetes secrets. As software supply chains grow more complex, the risks of credential leaks amplify, threatening the foundations of secure development and deployment.

To mitigate these risks, organizations must prioritize robust secret management, enforce strict access controls, and educate development teams on secure coding practices. In the era of containerized environments and rapid deployment cycles, a single misstep can escalate into a large-scale cybersecurity crisis.

About Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is the #1 Authority for research and education on Non-Human Identity risks. We provide Independent guidance and expert advice to organizations, helping them understand, manage and secure these huge risks effectively.

Subscribe to our Newsletter

Subscribe

© 2024

Contact us if you would like to get some independent guidance and advice on how to start tackling Non-Human Identity Risks.