Posted on Oct 5 Secrets (programmatic credentials such as access tokens, API keys, or private encryption keys) play a pivotal role in securing access to equipment, data, services, and APIs. However, the expanding proliferation of secrets creates significant challenges when it comes to keeping them safe and secure. As mentioned in a recent article, compromised credentials are becoming the preferred vector of hackers to get a toehold in a victim’s systems, as it takes less effort than most other methods. In this blog post, we'll explore three recent real-world examples of how secrets can escape that demonstrate the crucial role of robust Secret detection solutions in mitigating these risks.Threat actor Storm-0558 is credited with an attack campaign that has been targeting Exchange Online and Azure Active Directory (AD). Recently, information about how the Microsoft signing key used by the threat actor to forge tokens was leaked. Microsoft’s investigation led to artifacts from the crash of a consumer signing system in April 2021. During this incident, a snapshot of the crashed process was created. Normally, these crash dumps are designed to redact sensitive information, but a race condition allowed a critical secret, the signing key, to be present in the crash dump.The presence of this sensitive material went unnoticed by Microsoft’s detection systems. The crash dump, initially believed to be free of secrets, was transferred to a debugging environment on the internet-connected corporate network, following their standard debugging process.After a while, Storm-0558 managed to compromise the corporate account of a Microsoft engineer who had access to the environment and gained access to the crash dump containing the signing key. The end of the story is already well-known, with the threat actors using this key to sign tokens that granted them access to mail servers.Other vulnerabilities were involved during this attack and all of them have been mitigated by Microsoft but this incident serves as a stark reminder of the challenges organizations face in detecting and protecting against secret exposures.See our blog post “Protect your keys, lessons from the Azure key breach” for more on this attack.VMware recently faced a security challenge for their Aria Operations for Networks software. After a significant security update to address a “Network Bypass” vulnerability, VMWare discovered that the exploit code had been published online. The culprit, it turned out, was hardcoded SSH keys. A PoC released by vulnerability researcher @SinSinology showed that the private access keys were predefined for each version of the product instead of being dynamically generated. It didn’t take long to extract each key from each version and share them publicly. These kinds of secrets should never be set in stone but dynamically generated at the time of installation.Days later Fujitsu’s IP series devices became the stars of their own security horror movie. Firmware released before July 26, 2023, was discovered to contain hard-coded backdoor credentials that could not be changed by end-users. Unalterable passwords should never be implemented in products, especially ones exposed to a network. In this case, the credentials granted administrative access to the devices, creating a vulnerability that could be exploited by attackers to gain persistent access.The presence of hard-coded credentials in these two products shows how secrets can remain buried within systems, hidden from end-users and presenting significant cybersecurity issues.Very recently, Sourcegraph, an AI-powered source code search engine, announced they had suffered a data breach. An access token was inadvertently published in a code commit to their public instance despite having automated code analysis tools in place. The leaked token had broad privileges, allowing the attackers to create a new account, elevate its privileges, and gain access to the admin dashboard. The malicious user then created a proxy to allow free access to Sourcegraph’s API and publicized it.This last example shows the ever-present risk of secrets being exposed due to human error or unforeseen circumstances. Even with robust security measures in place, a single mistake can lead to a significant security breach. It emphasizes the need for comprehensive secret detection solutions that can identify and mitigate these threats proactively.As the digital landscape evolves, the variety and sheer vastness of the secrets landscape poses a constant challenge. To combat this threat effectively, organizations need reliable secret detection products like those offered by GitGuardian.These tools are designed to tirelessly scan code repositories, databases, and environments for signs of sensitive information, alerting organizations to potential risks before they can be exploited.GitGuardian's secret detection solutions are a crucial ally in the fight against hidden threats lurking in your systems. They provide real-time monitoring, alerts, and remediation options, helping organizations safeguard their secrets, maintain regulatory compliance, and protect their reputation.In a world where so many secrets exist in so many places, the responsibility of safeguarding them has never been more critical. The incidents outlined above underscore the need for robust secret detection solutions to identify and mitigate security risks effectively. With GitGuardian's state-of-the-art products, organizations can proactively protect their secrets, ensuring a safer digital environment for all. Don't wait for your feet to get wet to learn there’s a hole in your boat—take proactive steps to secure your secrets with GitGuardian today.Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse Vedant Pareek - Jan 23 '22 Teoman Yalçınöz - Jan 17 '22 Krishnadev P Melevila - Jan 15 '22 fx2301 - Jan 15 '22 Once suspended, gitguardian will not be able to comment or publish posts until their suspension is removed. Once unsuspended, gitguardian will be able to comment and publish posts again. Once unpublished, all posts by gitguardian will become hidden and only accessible to themselves. If gitguardian is not suspended, they can still re-publish their posts from their dashboard. Note: Once unpublished, this post will become invisible to the public and only accessible to Nicolas DANJON. They can still re-publish the post if they are not suspended. Thanks for keeping DEV Community safe. Here is what you can do to flag gitguardian: gitguardian consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy. Unflagging gitguardian will restore default visibility to their posts. DEV Community — A constructive and inclusive social network for software developers. With you every step of your journey. Built on Forem — the open source software that powers DEV and other inclusive communities.Made with love and Ruby on Rails. DEV Community © 2016 - 2023. We're a place where coders share, stay up-to-date and grow their careers.