“If the secret is exposed, it will be exploited,” say researchers who analyzed the tactics of cloud-focused cybercrime.
“Secrets” are the pieces of sensitive information that authorize access to a cloud environment. Cloud security firm Orca Security research reveals that attackers typically find misconfigured and vulnerable assets within a mere two minutes and begin exploiting them almost instantly.
Orca Security conducted research for six months by setting up "honeypots" in nine distinct cloud environments. These honeypots were designed to simulate misconfigured resources in order to attract attackers. Each honeypot contained a secret AWS key.
Subsequently, Orca closely monitored each honeypot to observe if and when attackers would take the bait. The objective was to gather insights into the most commonly targeted cloud services, the time it takes for attackers to access public or easily accessible resources, and the duration it takes for them to discover and utilize leaked secrets.
Secrets discovered almost instantly
According to Orca’s report, exposed secrets on GitHub, HTTP, and SSH were all discovered in under five minutes. AWS S3 Buckets were found in under an hour.
“While tactics vary per resource, our research makes one thing clear — if a secret is exposed it will be exploited,” said Bar Kaduri, Cloud Threat Research Team Lead at Orca Security. Time to key usage varies significantly per asset type. Researchers observed key usage on GitHub within two minutes, which means that exposed keys were compromised virtually instantly.
The process was slower for other assets — for S3 Buckets, key compromise took approximately eight hours, and for Elastic Container Registry the process was nearly four months.
Although 50% of all observed exposed AWS key usage took place in the United States, usage occurred in almost every other region as well, including Canada, APAC, Europe, and South America.
Attackers are more inclined to conduct reconnaissance on resources that are popular, easily accessible, and likely to contain sensitive information. In particular, assets like SSH are frequently targeted for malware and crypto mining due to their high value.
“Attackers find exposed secrets incredibly quickly, and it doesn’t take them long to weaponize them. In this environment, defenders must ensure that their assets are not publicly accessible unless absolutely necessary and that secrets are properly managed,” said Kaduri.
Your email address will not be published. Required fields are markedmarked