The World’s Largest Breach. Root cause: Secrets in Code

On July 3rd, Changpeng Zhao, the highly regarded CEO of cryptocurrency exchange Binance, posted a tweet under his widely known moniker CZ, alerting the world to a massive data breach that in part read, “our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country”. []

One billion records exposed. Is this the world’s largest breach? 

Over the last few years software supply chain attacks have been highlighted as one of the top five causes of major cybersecurity incidents. The number of incidents are growing and so is the pain felt by the organizations and the individuals subject to these attacks. 

Based on current census data, this breach encompassed 12.9% of the Earth’s population! – when you consider the number of people on the planet that are connected to the internet, the percentage involved in this breach jumps to 20.1% of the world’s population that is connected to the internet.

Usually after an attack we hear from pundits words like, “this is a wake up call, we must take action” or “these are lessons learned and we have to do better next time”. This breach is not a wake up call, or a moment of learning, this is full-blown war and unfortunately we are all asleep at the wheel.

What happened?

In this case the incident started innocently with a snippet of source code being copied from a repository and being pasted on a blog site on the Chinese Software Developer Networks (CSDN). The code snippet contained access credentials in plain text for all  to see. 

Code snippet copied to the CSDN blog contained a critical secret causing a massive breach

Once the secret was exposed, attackers could use this secret to access privileged account areas and elevate their privileges, allowing them almost complete and unfettered access to the application landscape and the associated data. At this point a sophisticated attacker could inject malware that resides as advanced persistent threat (APT) and si

The leading root cause of software supply chain breaches turns out to be secrets in code. Through negligence or mal-intent, secrets that are left in code can be exploited by hackers to mount asynchronous attacks leading to escalation of privileges, exploitation of vulnerabilities and exfiltration of data. At the start of this blog we mention the fact that records for more than one billion individuals were exfiltrated that included unprecedented levels of personally identifiable information. 

What are secrets in code and why do they exist?

Secrets exist as artifacts in code that an app uses to connect to an external service, account, or application. Secrets used by developers include API keys; encryption keys; OAuth tokens; certificates; and passwords. 

Organizations developing software are adopting automated DevOps and CI/CD pipeline solutions to speed up the development and testing all the way to deployment. Software is being rapidly assembled from a series of building blocks. Some of these are created in-house, while others are available for use off the shelf. 

The resulting code can be a combination of open source code, in-house code and third-party code in order to deliver finished applications much faster.  In order for these parts to interact securely, encryption keys and authentication methods are used between software components.

It can be challenging to determine all the reasons that secrets remain in code. In many cases development teams are focused on getting business logic and the functional aspects of integration to work. Many times it is easier to hardcode the secret string or value into the code while testing and then deal with the secrets removal later. While they have good intentions, sometimes developers forget to do that, or rarely, due to malicious intent, deliberately expose secrets in clear text. One way or another, secrets numbering in the thousands, often find their way into code repositories. 

One of the biggest challenges facing organizations today is that manual detection, identification and remediation of secrets in code has become a tedious and time consuming process. In many cases application security titles within organizations, particularly those with large numbers of developers are faced with having to resolve many thousand secrets.

How should we treat secrets?

Secrets in code are extremely critical to organizations. With almost all organizations using git repositories for source code version control management, what is widely forgotten is that multiple versions of code that have iteratively been improved still exist in git repositories. Very seldom do organizations completely delete the code history. Even if the most current tip of the branch for code has been diligently scanned for secrets, prior versions remain with secrets exposed in that code, exposing the organization to risk. 

IT organizations in many cases rely on the internal or private repositories and many times are lulled into a false sense of security that their repositories are secure because they are private. This has been proven wrong many times over. Sophisticated attackers are now targeting these private repositories to harvest these critical secrets to aid them in mounting debilitating asynchronous attacks. There are steps organizations can take to minimize the adverse impact from the use of secrets in their code. 

What are some current solutions? Why do they fall short?

Code security solutionsKey capabilitiesWhy they fall short
Application security solutions(e,g, SAST, DAST solutions)Scans an application’s source code, usually the versions ready to deploy. Widely used in enterprises. Able to detect known vulnerabilities in codeNot optimized to detect and remediate secrets. Does not include scans of prior versions of code in repos. Unable to detect PII, access violations and misconfigurations.
Security features in source code management systems(e.g. GitHub Advanced Security)GitHub, GitLab, etc. have security features available for their platform. Scans code for  vulnerabilities and some secrets.Optimized to work on their specific platform only. Cannot address code present elsewhere. Can identify only a limited number of secrets. Risks such as PII, code leaks and access violations not detected.
Security management tools – encrypted vault.(e.g. HashiCorp Vault)Developers can use indirect references to secrets stored in separate vaults. Prevent exposure in clear text. Works well for known secrets.Only works with secrets that the organization already recognizes. It’s a viable fix for the symptoms, not for the root cause.
Open source security solutions(e.g. TruffleHog)TruffleHog supports entropy checks and regular expression (regex) checks to identify secrets in code. Support for contextual analysis and validity checks.Main drawback is the high number of false positives.TRFL makes a temporary copy of Git contents on a local file system which could be a security issue. Lacking effective user interface and experience. 

As a solution that is built with developers in mind, BluBracket is easy to integrate into the daily development workflows. It has the flexibility to operate across all git repositories, both internal and external. Integration with existing DevOps and CI/CD tools commonly found in the enterprise allow developers to easily include BluBracket into their daily routines. 

The BluBracket code security solution starts with mitigating secrets in code and quickly extends to add other solutions to provide a complete code security solution.

How Blubracket addresses secrets in code

BluBracket’s secrets functionality identifies and helps eliminate secrets throughout the development workflow (before commit, review on pull request, and alert on commits to monitored repos), and make it easy to triage and mitigate secrets previously committed.

BluBracket’s deep scans identify secrets in git history, and can even identify active secrets so you know which ones are most important.

Secrets in Code: secrets in code exist as artifacts that an app uses to connect to an external service, account, or application. Secrets used by developers include API keys; encryption keys; OAuth tokens; certificates; and passwords. BluBracket for secrets in code, alerts on them and then provides a means to eliminate the risk. 

Other key risks in code addressed by BluBracket

Alert on Personally Identifiable Information (PII): organizations have various policies governing the use, storage, and disposition of PII. Some examples are social security numbers, credit card numbers, date of birth etc. In certain industries there are strong regulatory mandates with huge penalties for failure to protect this data. BluBracket can block such data from being exposed. 

Infrastructure as Code (IaC): helps with the managing and provisioning of compute infrastructure and cloud services using (software) configuration files. Misconfigurations in IaC scripts can lead to serious disruptions. BluBracket can identify misconfigurations in IaC prior to deployment.

Enforce access and Identity governance rules: as code is cloned and proliferated via Git repositories, it becomes difficult to identify the owners of the code, the collaborators, and the interlopers. BluBracket allows developers and AppSec teams to discover who has access at all times.

Prevent code leaks: Developers sometimes unknowingly place company IP at risk when they share code sections or commits on to public Git repositories. BluBracket regularly scans public repositories for code fingerprints that may have leaked into the extended universe. 

Identify git misconfigurations and IaC violations: Git misconfigurations can result from insecure default configs, incomplete or un-patched applications etc. BluBracket looks across hundreds of software components, libraries, and application frameworks for vulnerable misconfigurations.’

Identifying non-inclusive language: In keeping with current times and developer’s desires to further the tech industry to remove insensitive racial or gender bias in words that we use in our code, BluBracket scans to identify such terms and delivers options to remediate.where they originated from, allowing attackers the opportunity to exploit those vulnerabilities.

BluBracket extends code security solutions beyond standard repositories

Code risks can extend beyond the immediate code development environment to tools that are adjacent to (integrated development environments) IDEs and version control systems. These are risks that are introduced prior to code being available in git repositories. Design collaboration systems like Confluence can contain secrets like API keys and credentials that are defined by the team prior to deploying.

Similarly, in recent months there has been an increase in the number of incidents that have resulted from AWS keys being exposed in code. Risks in code can be stored in cloud based storage environments like Amazon S3 buckets. 

BluBracket has developed numerous solutions to identify and eliminate risks across the company in all the tools we use. We are open-sourcing these solutions as composable tools with configurable recipes, in the hope that we can help improve security for all.

 Composable tools and ready-made recipes for universal risk detection beyond code: open source solutions identify secrets and PII across the enterprise, including S3 buckets, logs, Confluence wiki pages, databases, and more. (Click here to learn more.)

How to get started?

BluBracket helps you understand your overall code health and identifies the areas of highest risk, implement workflows to stop new risks from getting into code and monitor your code health and watch it improve with every commit. Developers and AppSec teams can get started in three simple steps by using their GitHub accounts to sign up for BluBracket. They can easily select the repositories to scan and start identifying risks almost immediately.

Use this link to get started for free in just minutes. No credit card required

For more information

For more information on how BluBracket can help secure your code environment, please visit Learn more about BluBracket’s code security solutions.

Share this post!