Secrets in the Wild: Uncovering Hidden Threats

In the ever-evolving landscape of cybersecurity, one of the most significant challenges faced by security managers and engineers is the discovery and mitigation of hidden threats. These “secrets in the wild” often evade traditional security measures and can lead to devastating breaches if not properly addressed. This article delves into the nature of these hidden threats, their implications for threat intelligence and pen testing.

The typical enterprise services landscape is a complex ecosystem of various IT services and systems that support the operations and functions of a large organization. It encompasses a wide range of services, applications, and infrastructure components:

· Customer Relationship Management (CRM) System

· Email and Communication Services

· Collaboration and Productivity Tools

· Enterprise Content Management (ECM) System

· Network Infrastructure

· Cloud Services

· Security Solutions

· Business Intelligence and Analytics Tools

· Human Resources Management System (HRMS)

· Finance and Accounting Systems

· Enterprise Asset Management (EAM) System

· Virtual Private Network (VPN) and Remote Access Services

· And many others

In today’s digitalized world, many services used by companies rely heavily on APIs (Application Programming Interfaces). APIs enable different software applications to communicate with each other, allowing seamless access and modification of data. Companies such as Microsoft, Atlassian, ServiceNow, Amazon and many others provide extensive APIs that are integral to their services.

The proliferation of development tools has streamlined the process of working with APIs. Tools like Postman, Swagger Hub, and GitHub have become indispensable in the daily operations of development and IT teams. However, the convenience these tools offer also comes with potential security risks that must be managed.

Postman, Swagger Hub, GitHub, and other services provide features to limit access to code and API requests. Despite these capabilities, the real challenge arises in managing access effectively, especially when dealing with large teams or multiple stakeholders.

Access Management Challenges

· Shared Secrets: When secrets (like API tokens or keys) are not yours, there’s a tendency to be less vigilant about their security. This can lead to careless sharing and inadequate access controls.

· Scalability Issues: When you need to grant access to a large number of people, the temptation to make entire repositories or collections public increases. This not only simplifies access management but also inadvertently exposes sensitive information.

· Discovery Risks: Service URLs provided by service providers are often publicly available. Attackers can leverage these URLs to narrow down their search for specific organizations and then target them using APIs from the service providers.

As an example of such — https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&viewFallbackFrom=o365-worldwide%20is%20accessible

Let’s try to search for login.microsoftonline.com in the Postman:

Another tries to do the same in the Swagger Hub:

One of the findings from SwaggerHub:

Using the approach with service URLs we were able to find credentials for Microsoft owned instance:

The issue has been reported to Microsoft and resolved.

We’ve been closely monitoring this trend, underscoring the critical importance of robust security practices. We have identified and reported instances where credentials for various services were exposed, highlighting the urgent need for vigilance and proactive security measures. This oversight has impacted numerous companies, with over 80 organizations affected by the accidental exposure of their sensitive credentials.

APIs and modern development tools have become cornerstones of contemporary IT infrastructure, providing unmatched flexibility and efficiency. However, their misuse or misconfiguration can lead to significant security breaches.

The described scenario of publicly available service URLs and potentially exposed API tokens can be leveraged by bug hunters, penetration testers, and red teams to uncover security vulnerabilities and execute sophisticated attacks:

· Bug Hunters: Bug hunters can utilize publicly available information about service URLs to identify potential attack surfaces. By probing these APIs, they can uncover vulnerabilities such as improper access controls or insecure API endpoints.

· Penetration Testers: During penetration testing engagements, testers can simulate real-world scenarios where attackers exploit exposed API tokens or poorly secured API endpoints. This helps organizations identify weaknesses in their API security posture and implement remediation measures.

· Red Teams: Red teams, tasked with mimicking real adversaries, can use the information gleaned from public sources to mount targeted attacks. They can escalate from initial access through compromised API tokens to advanced stages such as data exfiltration, demonstrating the potential impact of a successful breach.