The Shocking Speed of AWS Key Exploitation

December 9, 2024

It is not an uncommon phenomenon for developers working for major enterprises to inadvertently expose their AWS access keys, and it is not uncommon for threat actors to discover this and take advantage, with keys being scraped to gain unauthorized access to sensitive assets. What has changed in recent years is the speed at which these exposures are being taken advantage of. A group of security researchers recently put this to the test, and the results are interesting to examine. The test was simple: sets of AWS keys were put together and intentionally leaked on a number of common platforms. These platforms included GitHub and GitLab, Docker Hub, npm, PyPI, Crates.io, Pastebin, Stack Overflow, Quora, and Reddit. These platforms were then tracked to see how long it took for the keys to be discovered and used.

The results showed that AWS keys leaked on GitHub and DockerHub were found and exploited within minutes. Keys leaked on PyPI or Pastebin were exploited within hours. Most of the others were found within 1 to 5 days, and the keys revealed on npm were apparently never touched. These test results indicate the presence of an extensive automated infrastructure that is constantly dragging the major sources for secrets. According to the researchers, the speed of exploitation on GitHub was so fast that it necessarily implies automation rather than opportunism. This speed of exploitation is particularly worrying because it operates even faster than AWS’s automatic quarantine, making it possible for threat actors to log into sandboxed cloud environments, engage in reconnaissance, escalate privileges, and establish a persistence within the network before the credentials can be locked down. In the long run, new protocols are going to have to be created to address this problem, but for now, the key to protecting AWS keys must be continuous detection and swift action.

More from Blackwired

January 13, 2025

Seven Trends to Watch for in 2025

In 2025, cybersecurity will focus on MFA, non-human identities, app security, attack surface mapping, and data-driven insights.

Read more
January 6, 2025

New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

Doubleclickjacking tricks users into granting permissions via a stealthy UI change, posing security risks. Browser standards must evolve.

Read more
December 30, 2024

Using CAPTCHA for Compromise: Hackers Flip the Script

Fake CAPTCHA pages can trick users into phishing or running malicious scripts, exploited by groups like APT28 to compromise systems.

Read more