Prevent Data-Focused Attacks

How Threat Actors Steal Developer Secrets

Chief Corvus Officer
May 24, 2022


Developer secrets are typically sensitive authentication tokens which can include API keys, access tokens, passwords and anything a developer would want secret. Examples include AWS secrets, GCP tokens and SSH keys. In recent years threat actors have been increasingly targeting cloud environments, and stealing developer secrets for malicious purposes. 

Developer Secrets 

Developer secrets as mentioned above, include sensitive information that should be kept confidential. These secrets can take different forms, depending on the provider and service and typically provide a level of access or authentication. Table 1 displays some common cloud related developer secrets, however this list is not exhaustive.

Service Developer Secrets
Amazon Web Service AWS Access Key, Secret Key
Google Cloud Platform Application Default Credentials, user and service credentials
Microsoft Azure Azure App Service configuration secrets
Kubernetes Kubernetes Secrets
SSH (protocol) SSH keys
Alibaba App Key, App Token
GitHub Github token
Certificates TLS, SSL

credentials consist of an access key id and secret access key, both of which are stored as plaintext in the user’s ~/.aws/ folder. These credentials are used to authenticate requests within AWS, which will search for credentials in either ~/.aws/credentials or ~/.aws/config. Access within AWS is provided by IAM (Identity Access Management) which uses permissions and role-based access, shown in Figure 1. 

Diagram. Center says AWS IAM and arrows are pointing left and right to the next level down. On the left is 'Identities (who requests)' which points to Users, Groups, Roles, and Credentials. On the right is 'Permissions (what is requested by the identity)'. This points to Policies, which then points to Statements.
Figure 1 - From msp360, Identities and Permissions in IAM

SSH (secure shell) is a protocol that is used to securely connect to a computer or network by utilizing encryption to avoid interception. The protocol consists of three layers: authentication, connection and transport. SSH is used in user authentication in which a user generates an SSH key pair, which includes a private and public key. The public key is uploaded to the server, with the private key remaining with the user and is used to authenticate the user. In cloud computing SSH is frequently used to connect to Virtual Machines such as AWS EC2 and GCP Compute Engine.

Developer secrets can be exposed in a multitude of ways, including human error, with keys being uploaded to git repositories or stolen through malicious means. Exposed developer secrets risk being abused promptly as threat actors will continually scan the internet for private keys. There are multiple risks organizations can face from having developer secrets leak including, data access and exfiltration, unauthorized access and use of resources, all of which can cause large costs. 

AWS Credentials

Given Amazon Web Services popularity, the service is a common target of cloud focused threat groups. Threat group “TeamTNT” rose to prominence for targeting cloud environments, in particular stealing AWS credentials to deploy cryptominers. The group, who were active from 2019 - 2021, used a stealer named “” (Figure 2) that scans for AWS access tokens in home/root, AWS environments and in Docker environments (Figure 3). Access tokens and meta data are piped to a file which is uploaded to a command and control (C2) operated by the group and used in further activity. 

Figure 2 - Bash Script Scanning For AWS Credentials In Root and Home
Figure 3 - Bash Script Scanning Docker Environment Variables For AWS Credentials 
Figure 4 - Example Of Stolen AWS Credentials File

In recent activity, Mandiant have reported on the threat group “UNC2903” stealing AWS credentials by exploiting vulnerable database software Adminer. A server-side request forgery vulnerability, designated “CVE-2021-21311” was discovered in May 2021. CVE-2021-21311 is a medium severity vulnerability affecting the open source database manager Adminer, allowing a Server-side Request Forgery (SSRF). A server-side request forgery is a vulnerability that enables requests to be made to an internal network as URLs are mishandled. A proof of concept (PoC) was pushed to a GitHub repository detailing how to exploit the vulnerability to return AWS keys from AWS metadata service. While it does not return AWS keys, UNC2903 was able to exploit this vulnerability to return AWS metadata which an attacker can use to get the server to return AWS keys in an error message. Once the threat actors have the AWS keys, they can be used to exfiltrate data from an S3 bucket. 

SSH Keys

SSH (secure shell) keys are a fundamental access credential that are used in authentication in many cloud platforms including Azure, AWS, GCP, Kubernetes among others. As a result, threat actors have been targeting various services in an attempt to steal ssh keys. In 2020, threat actors began targeting misconfigured Docker containers with Kinsing malware. Kinsing downloads a shell script (shown in Figure 5) that steals data from /.ssh/config, /.ssh/known_hosts and .bash_history and iterates through each combination of user and key in an attempt to connect to each host in order to download another bash script, with the end goal of running a cryptominer

Figure 5 - Example From Kinsing Script Attempting To Connect To A Host 

Similarly, Chinese APT group “Rocke Group” will target vulnerable Linux servers, using SSH keys and known hosts to spread onto other machines. 


During 2021, TeamTNT once again expanded their toolset, which included stealing GCP secrets. The group’s toolset included Break Out of the Box, a pentesting tool that the group used to scrape GCP credentials. It is unclear if the GCP credentials were ever used, however based on previous activity it may be safe to assume that they would be used in cryptomining operations, and the group claims to have ceased operations. 


While cryptomining is an expensive problem for organizations, these stories highlight some greater dangers facing cloud environments. With the access threat actors are getting to developer secrets, these could be used for even more malicious purposes such as data access and exfiltration, lateral movement, and use of resources. As leaked secrets are constantly being scanned for, publicly exposed secrets will be used quickly. Even though there is currently a smaller number of threat groups specifically targeting cloud services, this will only increase with many organizations moving to the cloud. To ensure data security, companies should use a Data Security Platform as part of their security strategy. Open Raven is a DSP that shows where sensitive data is and how secure it is. 

Magpie Rules


Use IMDSv2 instead of IMDSv1, as it uses a session token for accessing metadata

Make sure S3 Bucket access logging in enabled 

Make sure EC2 Instance Detailed Monitoring is Enabled

Ensure MFA is required for IAM


Use IMDSv2 instead of IMDSv1, as it uses a session token for accessing metadata

Don't miss a post

Get stories about data and cloud security, straight to your inbox.