This guest post was contributed by Soujanya Ain, GitGuardian.
Dropbox. Toyota. Uber. Microsoft. Samsung Electronics. Nvidia. A terrible wave of source code leaks and breaches involving secrets happened this year.
Most of the leaks reported during the first half of 2022 were caused by Lapsus$, the international hacker group, which was first noticed in December 2021 for a breach in the computer systems of the Brazilian Ministry of Health. Since then, their erratic energy and determination to steal businesses' private source codes have astounded everyone. The source code exposure of these major companies into the public space and the usage of hardcoded secrets for lateral movements again highlights the magnitude of the secrets sprawl issue.
When discussing secrets concerning software development, one generally refers to digital authentication credentials that grant access to systems or data. These are most commonly API keys, usernames, passwords, or security certificates. Often, secrets are hard-coded and sprawled across different places. If attackers discover these secrets, they can gain access with valid accounts to internal systems and start moving around.
This year, there have been two clear scenarios of how hackers exploited organizations to gain initial access before the breach. In the scenario of Dropbox or Uber, the attacker used social engineering means such as phishing to penetrate the organization and find their way to the code. They then used hard-coded secrets to move laterally through systems, acquiring administrator-level privileges, and launching attacks on infrastructure and systems. In another scenario, the codes of companies like Samsung and Nvidia were involuntarily made public by the Lapsus$ group, thus leaking corporate secrets.
Despite being more security aware than most companies, these organizations still have huge amounts of secrets in their internal repositories. What is concerning is that most companies across industries have no visibility over where their secrets will end up, and they might not even realize when they are compromised. This is a huge problem that is getting worse over time.
Major causes of breaches in 2022
Social engineering techniques such as phishing as an entry point
Phishing attempts to deceive users into compromising sensitive information. Attackers frequently employ phony emails that are crafted to appear trustworthy or to come from reputable sources. Their main goal is to persuade users to perform certain activities that will enable attackers to install malware on their devices, such as clicking on links or opening email attachments. However, MFA has been powerless, resulting in even the most cautious users having their login data end up in the wrong hands. Recently, Dropbox experienced a multifactor failure moment recently when their employees fell for a well-crafted phishing campaign that gave hackers access to internal code repositories and personal identifying information.
Secrets exposed in code repositories used for lateral movement
Source code describes the system's inner workings and the secrets required to enter those systems. In 2021 alone, we detected over six million secrets committed to public GitHub repos. Hard-coding discloses users secrets in several ways when code is pushed to public repositories or when a malevolent actor accesses it. Because secrets are so widely used in the modern software development life cycle, it is easy for them to sprawl through git repositories, messaging systems, infrastructure, and workstations. As a result, this increases the attack surface, making it easier for an attacker to discover and exploit secrets in multiple ways. For businesses without automated secrets detection and remediation in place, this is a significant blind spot.
Lateral movement compromises supply chain security
According to Gartner, by 2025, 45% of firms globally are expected to have been the target of supply chain attacks. But any software or code used in the chain is a potential threat vector for an attacker. Having unsupervised open-source dependencies used in your software is a major risk. Only a single malicious package is enough as an entry point to exploit an integrated ecosystem of connected organizations. Supply chain links can be leveraged to jump from one organization to another, thus exposing more secrets in the process. At least some of the attacks by the Lapsus$ group must have come from suppliers to their intended targets.
A look back at breaches in 2022
Date: On November 1, 2022
A threat actor broke into a Dropbox developer’s GitHub account after the developer fell for a phishing scam. The attacker sent a mass phishing email pretending to be CircleCI, a well-known CI/CD tool that Dropbox uses internally.
The attacker stole 130 internal repositories, including both public and private code. The code also contained a few thousand names and email addresses of Dropbox employees and some plain text secrets, such as API keys and other credentials.
To enter more systems, the attacker could likely go for sensitive information like secrets. What systems the API keys and other secrets could access, have yet to be confirmed by Dropbox. So far, their logs reveal no unauthorized access to critical systems, demonstrating that the hack was discovered in time.
Date: On October 7, 2022
Toyota, the Japanese-based automaker, revealed that credentials granting access to customer data were inadvertently left exposed in a public GitHub repository for about five years. As a result, an unknown hacker was led directly to the company's T-Connect infotainment system server that held customer data.
Customers who subscribed to the T-Connect website were affected. T-connect is a service and mobile application that provides users with car management features such as find my car, maintenance reminders, concierge services, and vehicle information. A subcontractor in development had exposed the source code.
Up to 296,019 clients' email addresses and customer management numbers were exposed. T-Connect users who had registered between July 2017 and September 2022 were subject to fraud, including scams. Toyota later switched the repository to private and changed the compromised access credentials.
Date: On September 15, 2022 The assault began with a social engineering effort against Uber’s staff members, which led to access to a VPN and, in turn, to Uber's internal network. Once inside the network, the hacker discovered a few PowerShell scripts, one of which included the domain admin account's login information for Uber's Privileged Access Management (PAM) solution, all “hardcoded. The attacker's initial vector was an external contractor whose credentials were obtained on the dark web. Using admin access, the attacker was able to log in and take control of many internal services and tools utilized by Uber: AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin portal, Uber's internal employee dashboards, and a few code repositories. To investigate the situation, Uber had to shut down its internal messaging system and engineering systems after they were compromised to look into the situation. Samsung Electronics Date: On March 7, 2022
Samsung, a consumer electronics giant, acknowledged that the source code for its flagship Galaxy smartphones was exposed during the attack. The attack was carried out by the Lapsus$ group. It’s unclear what, if any demands, they made to Samsung.
GitGuardian uncovered 6,695 secrets, including many authentication tokens for internal or external services, after analyzing the leaked Samsung source code for sensitive information suck as secrets.
190 GB of sensitive data, including details on biometric authentication and source code from both Samsung and Qualcomm, one of its suppliers, had been exposed. This information was shared via Torrent, Telegram, and some prominent Russian-language hacking and criminal forums.
Date: On February 25, 2022
Lapsus$ gained access to US chipmaker giant NVIDIA's internal network and stole valuable information, including trade secrets and hashed login passwords. As a form of extortion, the hackers demanded that NVIDIA eliminate the mining hash rate limiters on its high-end graphics cards. Lapsus threatened to reveal the company’s secrets if the latter would not comply with their demand by March 4. NVIDIA refused to pay their demanded ransom.
Lapsus$ seized one terabyte of data, including a large amount of private information regarding NVIDIA graphics card designs, the source code for an AI-rendering engine called DLSS, and the usernames and passwords of more than 71,000 NVIDIA workers.
Having access to and control over such source codes could set off a large supply chain reaction that could, in turn, infect countless machines and organizations.
How to safeguard yourself from such data breaches?
Having a strong code security strategy in place is now more critical than ever as hackers find creative ways to map and target developers’ and other software professionals’ secrets. Here are a few steps you can take to safeguard your data and personal information:
Use password managers, SSO, and secrets managers whenever possible to reduce the risk of secrets sprawl. Enable multi-factor authentication for all online accounts (not just admin ones). This is an easy first step in thwarting attackers from lateral movement.
Another best practice is to be vigilant of phishing attacks. If there are any doubts about an email's legitimacy, you should check the header to ensure the email domain is authentic and utilize the hover preview for any links to ensure that the URL isn't sending you to a potentially dangerous website.
Maintain code hygiene and never store unencrypted secrets in Git repositories. Gain visibility into where secrets are stored and how they might be leaked. Store secrets safely and leverage tools that stop them from ending up as part of your repos. For secrets currently in code, rotating them is one of the important steps to consider. Invest in a layered defense strategy across the SDLC with automated detection and remediation capabilities.
Remember that prevention is always less expensive than cure. Therefore, start preparing for the problems that may occur 2023 to keep yourself out of breach headlines.