Databases Stores, Cloud Storage And Services At Risk From Exposed Access Keys Finds New Research
LONDON and SAN FRANCISCO, Sept. 15, 2020 /PRNewswire/ -- Digital Shadows, the leader in digital risk protection, has today revealed new research looking at the growing problem of company access keys inadvertently exposed during software development. Access keys, and their corresponding secrets, are used by developers to authenticate into other systems. While these should be kept private, poor security practices mean they are frequently made 'public' and are a gift to threat actors which routinely scour such sites for easy access to company systems.
Over a 30-day period Digital Shadows scanned more than 150 million entities from GitHub, GitLab, and Pastebin. During this time, its technology assessed and categorized almost 800,000 access keys and secrets. Digital Shadows discovered more than 40% of these were for database stores, with 38% for cloud providers such as Google, Microsoft Azure and Amazon Web Services. Some 11% were for online services including collaboration platforms such as Slack and payment systems including Stripe.
The impact of exposed database keys is particularly profound - these types of credentials could allow unauthorized access to company data, including personally identifiable information (PII) with the permission to expose, destroy or manipulate company data. Credentials for Redis (37.2%), MySQL (23.8%), and MongoDB (19.3%) were the most common.
The research also found that keys are commonly exposed for cloud providers. Google Cloud was found to have the most exposed keys with 56.5% of the total. Microsoft Azure access keys and SAS tokens make up 22.7% and 12.4% respectively. Interestingly despite Amazon Web Services being the market leader, exposed keys for these services only made up 8.3% of the total.
Again, successful authentication into these environments could be hugely damaging and allow access to the associted cloud infrastructure, with permission to expose, destroy and/or manipulate sensitive data. The data accessible depends on the services used and could include company and internal systems information.
The research also discovered thousands of tokens and keys for popular online services, including Slack tokens. In the wrong hands these keys could be used to post messages directly into a channel within the organization, give access to sensitive information on channels and conversations and access a user's Slack workspace, e.g. the channels, conversations, users, and reactions.
Significant damage could also result from other exposed keys such as Stripe API keys (6.4% of the total) which could infiltrate payment systems. Mailgun secret keys (4.4% of the total) could allow use of the API to send, receive and track emails – which would be highly useful to attackers looking for access to enable phishing campaigns.
Russell Bentley at Digital Shadows comments: "As software development has become increasingly distributed between in house and outsourced teams it has become challenging to monitor the exposure of sensitive information. Every day, technical information like keys and secrets are exposed online to code collaboration platforms. Normally this is accidental, but we have seen evidence that threat actors are scouring public repositories and looking to use it in order to access sensitive data and infiltrate organizations. Most of the services we have identified are secure by design but as ever, humans are the weak link in the chain and frequently make information public when it should be private."
Digital Shadows recommends the following action to help mitigate some of these issues:
ABOUT DIGITAL SHADOWS
SOURCE Digital Shadows
Autonomation and Predictability in IIoT