ramimac / aws-customer-security-incidents

A repository of breaches of AWS customers
GNU General Public License v3.0
705 stars 40 forks source link

AWS Credentials in Docker Images #108

Closed ramimac closed 1 year ago

ramimac commented 1 year ago

https://arxiv.org/pdf/2307.03958.pdf

christophetd commented 1 year ago

Interesting bits:

In this paper, we analyze 337,171 images from Docker Hub and 8,076 other private registries unveiling that 8.5 % of images indeed include secrets. Specifically, we find 52,107 private keys and 3,158 leaked API secrets (...). We further document that those leaked keys are used in the wild: While we discovered 1,060 certificates relying on compromised keys being issued by public certificate authorities, based on further active Internet measurements, we find 275,269 TLS and SSH hosts using leaked private keys for authentication.

In total, we found 3,158 distinct API secrets in Docker images, mostly related to services from the cloud domain (2920 secrets). Although we cannot prove the functionality of these secrets, the occurrence of 1,213 secrets for the Amazon AWS API or 177 secrets for the Alibaba API indicate that attackers might be able to reconfigure cloud services maliciously,(...). Additionally, we found evidence for secrets allowing attackers to access private data from social media (213 secrets), or even access financial services (25 secrets, most matches: Stripe API)