Uncovering attacker tactics through cloud honeypots

Attackers typically find exposed “secrets” – pieces of sensitive information that allow access to an enterprise cloud environment — in as little as two minutes and, in many cases, begin exploiting them almost instantly, highlighting the urgent need for comprehensive cloud security, according to Orca Security.

Orca’s research was conducted between January and May 2023, beginning with the creation of “honeypots” on nine different cloud environments that simulated misconfigured resources in the cloud to entice attackers.

Cloud environments honeypots

Each contained a secret AWS key. Next, Orca monitored each honeypot to see if and when attackers would take the bait in order to learn what cloud services are targeted most frequently, how long it takes for attackers to access public or easily accessible resources, and how long it takes for attackers to find and use leaked secrets.

“While tactics vary per resource, our research makes one thing clear – if a secret is exposed it will be exploited,” said Bar Kaduri, Cloud Threat Research Team Lead at Orca Security.

“Our research shows that attackers find exposed secrets incredibly quickly and it doesn’t take them long to weaponize them. In this environment, defenders must ensure that their assets are not publicly accessible unless absolutely necessary, and that secrets are properly managed,” Kaduri continued.

While Orca expected attackers to find the honeypots quickly, the research team was still surprised just how quickly some were found and exploited.

Honeypots found and exploited

Vulnerable assets are discovered almost immediately

Misconfigured and vulnerable assets are literally discovered within minutes. Exposed secrets on GitHub, HTTP, and SSH were all discovered in under five minutes. The AWS S3 Buckets were discovered in under one hour.

Time to key usage varies significantly per asset type

Orca observed key usage on GitHub within two minutes, which means that exposed keys were compromised virtually instantly. The process was slower for other assets; for S3 Buckets, key compromise took approximately eight hours and for Elastic Container Registry the process was nearly four months.

Not all assets are treated equally

The more popular the resource, the easier it is to access, and the more likely it is to contain sensitive information, the more attackers are inclined to do reconnaissance. Certain assets, such as SSH, are highly targeted for malware and cryptomining.

Defenders shouldn’t rely on automated key protection

Apart from GitHub, where the exposed AWS key permissions were immediately locked down, Orca did not detect any automated protection for the other resources tested.

No region is safe

Although 50% of all observed exposed AWS key usage took place in the United States, usage occurred in almost every other region as well, including Canada, APAC, Europe, and South America.

“The differences in attacker tactics depending on resource illustrates the need for defenders to employ tailored defenses for each instance,” said Tohar Braun, Research Technical Lead at Orca Security.

“The report breaks down attack techniques and includes recommended best practices for mitigating the risk of exposed secrets,” Braun concluded.