CISO Case Files: Fortune in Trash Heaps

 

Hidden Fortunes: 

It’s amazing what fortunes people discard or store, leaving to collect dust forgotten. It happens more often than one would think. Paintings from Tiepolo, Carrvaigo, and van Gogh have been found decades or even centuries after their disappearance. In 2014 a copy of Judith Beheading Holofernes by Carrvaigo was located by plumbers in a French chateau while repairing a leak. Hidden behind a locked door and underneath a mattress was a 406-year-old renaissance painting worth 170 million dollars. Believe it or not, similar things happen with digital files.  Precious digital assets are left abandoned after the work is done. They collect digital dust until someone wipes away the grime to realize what they have found. 

Details from the Crime Scene: 

In early October, CybelAngel located a source code leak from our client, a major postal services provider. Three years earlier, our client sought to modernize their operations with a large digital transformation project.  To do so, they sought assistance from a third-party consultant specializing in information technologies and digital security.  The third-party service provider had access to all of our client’s IT infrastructure schemes and data from production API accesses, disaster recovery plans, and cloud workloads.  The third-party created a GitHub code repository shared by engineers, project managers, and clients to speed up development. It was this code repository that was found unprotected and public. 

CybelAngel Investigates: 

CybelAngel protects our customers by continuously scanning publicly available GitHub repositories for leaks for client keywords. During our scan, we located a public code repository that contained keywords as listed by our client.  Our Cyber Analysts received the initial alerts and began their investigation locating several sensitive items including, a full set of credentials to AWS buckets, SMTP file servers, and cloud databases.  Also included was a README file containing vital information on the structure and development of various technical programs.  Nor was our client the only one affected by this leak, credentials from the third party and various subsidiaries were found.  (Want to improve your third-party risk, watch our webinar How to Manage Third-Party Digital Risk) The information contained in the code repository posed several high-level risks. Leaked credentials are used in 80% of hacking techniques (Verizon DBIR 2020), being highly valued to phishers and ransomware gangs. Many ransomware gangs start by weaponizing leaked credentials in spear-phishing to deliver malware payloads infecting companies with ransomware.  This leaves corporations vulnerable to extortion, destruction of data, and reputational damage.  (See our whitepaper Prevent vs. Pay for strategies to nip ransomware in the bud.) This was a leak that needed immediate remediation. 

Arresting the Leaks: 

Our analysts concluded their investigation by identifying the source of the leak. By cross-referencing the emails contained within the files and the user name associated with the GitHub account, we determined in all likelihood it belonged to a former third-party Dev Ops Engineer.  It should be noted that in reviewing the security configuration, this code repository was originally private. It only became public after the code repository provider updated its platform.  To remediate this leak, either the owner needed to delete or make the repository private. Within hours the owner was located, and the repository was made secure. Additional measures, including updated credentials, were taken to secure from infiltration. (Our whitepaper Detect and Remediate Third-Party Leaks covers situations like this in-depth.)

To remove exposed GitHub code make sure to delete the entire repository.

Detective’s Notes: 

Hackers might be the best recyclers in the world. Exposed and unprotected code-sharing platforms are full of valuable information like API keys that can be recycled for profit even if out of date.  Over 80% of hacking breaches involve brute force or the use of lost or stolen credentials (Verizon DBIR 2020).  This case saw a leaking public GitHub repository and exposed credentials from a third party that, if recycled by hackers, could have led to a devastating cyberattack.  CybelAngel’s digital risk protection platform will monitor for you, provide early detection and remediation built into a single solution. You can take the first step by trying CybelAngel’s free Data Exposure Dashboard.