CISA Data Leak on GitHub
A recent discovery has revealed that a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository containing exposed credentials to several highly privileged AWS GovCloud accounts and numerous internal CISA systems.
Security experts have stated that the public archive included files detailing how CISA builds, tests, and deploys software internally, representing one of the most egregious government data leaks in recent history.
Discovery of the Leak
On May 15, KrebsOnSecurity was contacted by Guillaume Valadon, a researcher with the security firm GitGuardian, who had discovered the public GitHub repository named "Private-CISA" that exposed a vast number of internal CISA/DHS credentials and files.
Valadon's company constantly scans public code repositories for exposed secrets and alerts the offending accounts of any apparent sensitive data exposures. However, the owner of the repository wasn't responding, prompting Valadon to reach out to KrebsOnSecurity.
Exposed Credentials and Files
The exposed credentials included cloud keys, tokens, plaintext passwords, logs, and other sensitive CISA assets. One of the exposed files, titled "importantAWStokens," contained the administrative credentials to three Amazon AWS GovCloud servers.
Another file, "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for dozens of internal CISA systems, including one called "LZ-DSO," which appears to be short for "Landing Zone DevSecOps," the agency's secure code development environment.
Analysis of the Leak
Philippe Caturegli, founder of the security consultancy Seralys, analyzed the exposed credentials and found that they could authenticate to three AWS GovCloud accounts at a high privilege level.
Caturegli also observed that the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.
Response from CISA
A spokesperson for CISA stated that the agency is aware of the reported exposure and is continuing to investigate the situation. Currently, there is no indication that any sensitive data was compromised as a result of this incident.
CISA is working to ensure additional safeguards are implemented to prevent future occurrences. However, the agency has not responded to questions about the potential duration of the data exposure.
Consequences of the Leak
The exposed AWS keys remained valid for another 48 hours after the GitHub account was taken offline. CISA is currently operating with only a fraction of its normal budget and staffing levels, having lost nearly a third of its workforce since the beginning of the second Trump administration.
Caturegli noted that the use of easily-guessed passwords for internal resources constitutes a serious security threat for any organization, even if those credentials were never exposed externally.
The incident highlights the importance of proper security hygiene and the need for organizations to implement robust safeguards to prevent similar data breaches in the future.
- The leak exposed credentials to highly privileged AWS GovCloud accounts and internal CISA systems.
- The exposed credentials included cloud keys, tokens, plaintext passwords, logs, and other sensitive CISA assets.
- CISA is investigating the incident and working to implement additional safeguards to prevent future occurrences.
The incident is an embarrassing leak for any company, but it's even more so in this case because it's CISA, an agency responsible for protecting the nation's critical infrastructure from cyber threats.
CISA's response to the incident will be crucial in determining the extent of the damage and preventing similar data breaches in the future.
Conclusion
The CISA data leak on GitHub is a significant incident that highlights the importance of proper security hygiene and the need for organizations to implement robust safeguards to prevent similar data breaches.
The incident is a reminder that even the most secure organizations can be vulnerable to data breaches, and it is essential to take proactive measures to protect sensitive information.
Source: Krebs on Security