Cisco Breach: Non-Human Identities (NHI) Compromise and Implications for DevOps Security

Tomer Iarchy

Tomer Iarchy

Software Engineer

Published on

October 29, 2024

In a recent security incident, Cisco confirmed that a threat actor accessed and downloaded “Cisco data and data of our customers”, and added they identified some files that “were not intended for public download were inadvertently published”.

The threat actor “IntelBroker” offered to sell the stolen data on BreachForums, describing some NHI secrets from its content - hard-coded credentials, certificates, API tokens, and private keys.

Cisco later added that “the data in question had been in a public-facing DevHub environment”

The flaw: publicly exposed NHI secrets

The access to sensitive data originated from Cisco’s public-facing DevHub website, which hosts container images and microservices to aid 3rd-party developers in building iox applications running on  Cisco network devices. This DevHub was intended to provide accessible resources but inadvertently contained secrets that enabled the attacker to gain unauthorized access to sensitive data. Given the level of detail involved—credentials, API keys, and tokens—the attacker likely leveraged these to explore Cisco’s DevOps environment further, posing a threat to internal systems and creating risks for any deployed applications utilizing these resources.

This isn’t something new. On August 15th, Palo Alto Networks’ Unit 42 uncovered a cloud extortion campaign that successfully compromised and extorted multiple organizations by exploiting configuration files hosted in AWS environments. These files, which typically contain environment variables, also store long-lived credentials for access keys. The leaked keys did not follow the principle of least privilege, making them highly vulnerable to exploitation. The attackers didn’t need to hack their way in–everything they needed was left out in the open.

Best practices to minimize the risk of NHI exposure

As we pointed out in previous articles, this type of attack highlights the importance of a comprehensive strategy to secure and manage NHIs. Incorporating automated security protocols, including continuous scanning and credential rotation, could reduce the risk of similar incidents. Additionally, proactive monitoring of NHIs, as emphasized in our earlier discussions on secure configurations for AWS environments and lessons from previous breaches, is essential for organizations operating in cloud and hybrid ecosystems.

Here is an exec summary of what you should think about as an enterprise identity and security specialist:

1) Discover Exposed Secrets: proactively search for sensitive information across various environments, including within environment configurations, mitigating the risk of initial access due to credential exposure.

2) Contextualize Secrets with Identity Mapping: discovering exposed secrets is often not enough; understanding their context is crucial for taking appropriate action. This includes giving security teams a clear understanding of usage and ownership for remediation.

3) Monitor and Detect Privileged Identity Creation: continuously monitor the creation of new privileged identities, helping security teams quickly identify and respond to unauthorized or unexpected privilege escalations. 

4) Respond rapidly with safe automated rotation: once a secret is identified as exposed, it must be promptly rotated to mitigate the risk of unauthorized access. This task can often be disruptive, especially when lacking full context, as it might break operational applications. 

5) Minimize Risk With Preventative Actions: beyond remediation, swiftly identify and resolve vulnerabilities to help prevent future incidents and reduce the blast radius.

How Oasis NHI Security Cloud can help

Oasis NHI Security Cloud is the leading enterprise cloud service for managing and securing NHIs. It is the first solution purpose-built to address the full spectrum of visibility, security and governance requirements of NHIs in a single integrated platform. Oasis NHI Security Cloud combines advanced capabilities in NHI discovery, risk assessment, rapid remediation, policy-based lifecycle orchestration, and compliance management. By leveraging Oasis, organizations can gain the insights and controls necessary to defend against sophisticated threats, ensuring that their non-human identities do not become the weak link in their security posture.

More like this