How Long Before Hackers Scrape AWS Credentials on Public GitHub Repos?

• AWS credentials exposed on public GitHub repositories will be scraped in less than a single minute.
• The actors then scan the accessed server and have all the details within four minutes.
• The automated scanners launch requests from different IPs to prevent detection and bans.

If you are wondering how long it would take for hackers to scrape AWS credentials stored in publicly accessible GitHub repositories, the answer may (not) shock you. A team of researchers at Comparitech has set up a special honeypot to test this scenario and found out that it would only take a single minute.

It means that if you have committed code to GitHub wrongfully, you don’t have more than a minute to realize and revert the action.

GitHub repositories are typically used for backing up stuff or sharing information with other team members. Sometimes, in the code snippets and files uploaded there, things like usernames, passwords, API tokens, and secret keys are included by mistake.

To catch these mistakes before the uploaders realize it, the actors are using automated crawlers that can perform multiple requests from different IP addresses. Whatever is left hanging is picked up almost immediately, and the next step isn’t taking much longer.

Within four minutes from the initial moment of exposure, the actors accessed the server using the stolen credentials and scanned for users, permissions, groups, roles, and policies using the DescribeInstances and GetAccountAuthorizationDetails API calls. When the researchers created a dummy user that only had read access and could register and deregister container instances, they logged over a thousand RunInstances API calls within one minute.

Related: ‘View Media’ Exposed 39 Million User Records on Unprotected AWS Database

It is worth noting that Amazon’s automatic security mechanism caught the suspicious activity, suspended the dummy user, and sent an email to the account owner informing them of the security event. The attackers’ bulk approach gave away their malicious intentions, but it would be totally unlikely to have Amazon step in and save the day when it comes to more targeted attacks.

If you happen to blunder by exposing your own AWS credentials on a GitHub repo, you are advised to do the following, even if you revert the action in a few seconds.

• Update the root password
• Rotate and delete all access keys
• Check each region for unauthorized AWS usage
• Terminate unauthorized resources
• Immediately remove leaked keys and other credentials
• Revoke and delete those credentials
• Contact AWS support for any further issues

To prevent this from happening in the first place, review what you are about to commit carefully. Additionally, remove unused keys, set up MFA for accounts that hold powerful permissions, encrypt tokens before sharing them, and use temporary security credentials instead of long-term access keys.