They then discovered 109 exposed credential sets, many accessible via a low-priority lab environment, tied to overly-privileged identity access management (IAM) roles. These often granted “far more access” than a ‘training’ app should, Yaffe explained, and provided attackers:
- Administrator-level access to cloud accounts, as well as full access to S3 buckets, GCS, and Azure Blob Storage;
- The ability to launch and destruct compute resources and read and write to secrets managers;
- Permissions to interact with container registries where images are stored, shared, and deployed.
Attackers maintained persistent access, moved laterally across networks, exploited cloud credentials and other sensitive information, and crypto-mined victim infrastructure. Further, Pentera’s researchers easily discovered active secrets such as Slack keys, GitHub tokens, and Docker Hub credentials, as well as real user data and proprietary source code.
Alarmingly, in DVWA, 54% of instances discovered still used the default credentials ‘admin:password,’ and attackers could downgrade security settings in a single click (from “impossible” to “low”), making every built-in vulnerability “trivially exploitable,” Yaffe noted.
