The Shocking Speed of AWS Key Exploitation

It is not an uncommon phenomenon for developers working for major enterprises to inadvertently expose their AWS access keys, and it is not uncommon for threat actors to discover this and take advantage, with keys being scraped to gain unauthorized access to sensitive assets. What has changed in recent years is the speed at which these exposures are being taken advantage of. A group of security researchers recently put this to the test, and the results are interesting to examine. The test was simple: sets of AWS keys were put together and intentionally leaked on a number of common platforms. These platforms included GitHub and GitLab, Docker Hub, npm, PyPI, Crates.io, Pastebin, Stack Overflow, Quora, and Reddit. These platforms were then tracked to see how long it took for the keys to be discovered and used.

The results showed that AWS keys leaked on GitHub and DockerHub were found and exploited within minutes. Keys leaked on PyPI or Pastebin were exploited within hours. Most of the others were found within 1 to 5 days, and the keys revealed on npm were apparently never touched. These test results indicate the presence of an extensive automated infrastructure that is constantly dragging the major sources for secrets. According to the researchers, the speed of exploitation on GitHub was so fast that it necessarily implies automation rather than opportunism. This speed of exploitation is particularly worrying because it operates even faster than AWS’s automatic quarantine, making it possible for threat actors to log into sandboxed cloud environments, engage in reconnaissance, escalate privileges, and establish a persistence within the network before the credentials can be locked down. In the long run, new protocols are going to have to be created to address this problem, but for now, the key to protecting AWS keys must be continuous detection and swift action.

‍