How Threat Actors Steal Developer Secrets
Introduction
Developer secrets are typically sensitive authentication tokens which can include API keys, access tokens, passwords and anything a developer would want secret. Examples include AWS secrets, GCP tokens and SSH keys. In recent years threat actors have been increasingly targeting cloud environments, and stealing developer secrets for malicious purposes.
Developer Secrets
Developer secrets as mentioned above, include sensitive information that should be kept confidential. These secrets can take different forms, depending on the provider and service and typically provide a level of access or authentication. Table 1 displays some common cloud related developer secrets, however this list is not exhaustive.
AWS credentials consist of an access key id and secret access key, both of which are stored as plaintext in the user’s ~/.aws/ folder. These credentials are used to authenticate requests within AWS, which will search for credentials in either ~/.aws/credentials or ~/.aws/config. Access within AWS is provided by IAM (Identity Access Management) which uses permissions and role-based access, shown in Figure 1.
SSH (secure shell) is a protocol that is used to securely connect to a computer or network by utilizing encryption to avoid interception. The protocol consists of three layers: authentication, connection and transport. SSH is used in user authentication in which a user generates an SSH key pair, which includes a private and public key. The public key is uploaded to the server, with the private key remaining with the user and is used to authenticate the user. In cloud computing SSH is frequently used to connect to Virtual Machines such as AWS EC2 and GCP Compute Engine.
Developer secrets can be exposed in a multitude of ways, including human error, with keys being uploaded to git repositories or stolen through malicious means. Exposed developer secrets risk being abused promptly as threat actors will continually scan the internet for private keys. There are multiple risks organizations can face from having developer secrets leak including, data access and exfiltration, unauthorized access and use of resources, all of which can cause large costs.
AWS Credentials
Given Amazon Web Services popularity, the service is a common target of cloud focused threat groups. Threat group “TeamTNT” rose to prominence for targeting cloud environments, in particular stealing AWS credentials to deploy cryptominers. The group, who were active from 2019 - 2021, used a stealer named “GRABBER_aws-cloud.sh” (Figure 2) that scans for AWS access tokens in home/root, AWS environments and in Docker environments (Figure 3). Access tokens and meta data are piped to a file which is uploaded to a command and control (C2) operated by the group and used in further activity.
In recent activity, Mandiant have reported on the threat group “UNC2903” stealing AWS credentials by exploiting vulnerable database software Adminer. A server-side request forgery vulnerability, designated “CVE-2021-21311” was discovered in May 2021. CVE-2021-21311 is a medium severity vulnerability affecting the open source database manager Adminer, allowing a Server-side Request Forgery (SSRF). A server-side request forgery is a vulnerability that enables requests to be made to an internal network as URLs are mishandled. A proof of concept (PoC) was pushed to a GitHub repository detailing how to exploit the vulnerability to return AWS keys from AWS metadata service. While it does not return AWS keys, UNC2903 was able to exploit this vulnerability to return AWS metadata which an attacker can use to get the server to return AWS keys in an error message. Once the threat actors have the AWS keys, they can be used to exfiltrate data from an S3 bucket.
SSH Keys
SSH (secure shell) keys are a fundamental access credential that are used in authentication in many cloud platforms including Azure, AWS, GCP, Kubernetes among others. As a result, threat actors have been targeting various services in an attempt to steal ssh keys. In 2020, threat actors began targeting misconfigured Docker containers with Kinsing malware. Kinsing downloads a shell script (shown in Figure 5) that steals data from /.ssh/config, /.ssh/known_hosts and .bash_history and iterates through each combination of user and key in an attempt to connect to each host in order to download another bash script, with the end goal of running a cryptominer.
Similarly, Chinese APT group “Rocke Group” will target vulnerable Linux servers, using SSH keys and known hosts to spread onto other machines.
GCP
During 2021, TeamTNT once again expanded their toolset, which included stealing GCP secrets. The group’s toolset included Break Out of the Box, a pentesting tool that the group used to scrape GCP credentials. It is unclear if the GCP credentials were ever used, however based on previous activity it may be safe to assume that they would be used in cryptomining operations, and the group claims to have ceased operations.
Conclusion
While cryptomining is an expensive problem for organizations, these stories highlight some greater dangers facing cloud environments. With the access threat actors are getting to developer secrets, these could be used for even more malicious purposes such as data access and exfiltration, lateral movement, and use of resources. As leaked secrets are constantly being scanned for, publicly exposed secrets will be used quickly. Even though there is currently a smaller number of threat groups specifically targeting cloud services, this will only increase with many organizations moving to the cloud. To ensure data security, companies should use a Data Security Platform as part of their security strategy. Open Raven is a DSP that shows where sensitive data is and how secure it is.
Magpie Rules
TeamTNT
Use IMDSv2 instead of IMDSv1, as it uses a session token for accessing metadata
Make sure S3 Bucket access logging in enabled
Make sure EC2 Instance Detailed Monitoring is Enabled
Ensure MFA is required for IAM
UNC2930
Use IMDSv2 instead of IMDSv1, as it uses a session token for accessing metadata