CISA Admin Leaked AWS GovCloud Keys on GitHub
CISA Admin Leaked AWS GovCloud Keys on GitHub
CISA 管理员在 GitHub 上泄露 AWS GovCloud 密钥
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. 直到上周末,美国网络安全与基础设施安全局 (CISA) 的一名承包商一直维护着一个公开的 GitHub 存储库,其中泄露了多个高权限 AWS GovCloud 账户的凭据以及大量 CISA 内部系统的访问权限。
Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. 安全专家表示,该公开存档中包含的文件详细说明了 CISA 如何在内部构建、测试和部署软件,这被认为是近期历史上最严重的政府数据泄露事件之一。
On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive. 5 月 15 日,KrebsOnSecurity 接到了安全公司 GitGuardian 研究员 Guillaume Valadon 的消息。Valadon 所在的公司会持续扫描 GitHub 及其他平台的公共代码存储库以查找泄露的机密,并自动向存在明显敏感数据泄露的账户发出警报。Valadon 表示,他之所以联系媒体,是因为该存储库的所有者没有回应,且泄露的信息极其敏感。
The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets. Valadon 标记的 GitHub 存储库名为“Private-CISA”,其中包含大量 CISA/国土安全部 (DHS) 的内部凭据和文件,包括云密钥、令牌、明文密码、日志以及其他敏感的 CISA 资产。
Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories. Valadon 表示,此次泄露的 CISA 凭据是安全习惯不良的教科书式案例。他指出,该 GitHub 账户的提交日志显示,这名 CISA 管理员手动禁用了 GitHub 的默认设置,而该设置本可阻止用户在公共代码存储库中发布 SSH 密钥或其他机密信息。
“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.” “密码以明文形式存储在 CSV 文件中,备份放在 Git 里,还有明确的指令来禁用 GitHub 的机密检测功能,”Valadon 在一封电子邮件中写道。“在深入分析内容之前,我真的以为这一切都是假的。这确实是我职业生涯中见过的最严重的泄露事件。这显然是个人的失误,但我认为它可能反映了(机构内部的)工作习惯。”
One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment. 其中一个名为“importantAWStokens”的文件包含了三个 Amazon AWS GovCloud 服务器的管理员凭据。另一个在公共 GitHub 存储库中泄露的文件——“AWS-Workspace-Firefox-Passwords.csv”——列出了数十个 CISA 内部系统的明文用户名和密码。据安全咨询公司 Seralys 创始人 Philippe Caturegli 称,这些系统包括一个名为“LZ-DSO”的系统,这似乎是“Landing Zone DevSecOps”(该机构的安全代码开发环境)的缩写。
Philippe Caturegli, founder of the security consultancy Seralys, said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository. 安全咨询公司 Seralys 的创始人 Philippe Caturegli 表示,他测试这些 AWS 密钥只是为了确认它们是否仍然有效,并确定泄露的账户可以访问哪些内部系统。Caturegli 指出,泄露 CISA 机密的 GitHub 账户表现出一种模式,即操作者将该存储库用作工作草稿本或同步机制,而非一个经过整理的项目存储库。
“The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli observed. “The available Git metadata alone does not prove which endpoint or device was used.” “同时使用 CISA 关联邮箱和个人邮箱,表明该存储库可能在不同配置的环境中被使用,”Caturegli 观察到,“仅凭现有的 Git 元数据无法证明具体使用了哪个终端或设备。”
Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems. Caturegli 表示,他已验证泄露的凭据可以高权限访问三个 AWS GovCloud 账户。他说,该存档还包含 CISA 内部“制品库”(Artifactory)的明文凭据——这本质上是他们用于构建软件的所有代码包的存储库——对于那些试图在 CISA 系统中保持长期立足点的恶意攻击者来说,这是一个极具吸引力的目标。
“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.” “那是进行横向移动的首选之地,”他说,“在某些软件包中植入后门,每当他们构建新东西时,就会到处部署你的后门。”
In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation. “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” 在回应提问时,CISA 发言人表示该机构已知悉此次泄露报告,并正在调查相关情况。“目前,没有迹象表明此次事件导致任何敏感数据被窃取,”CISA 发言人写道,“虽然我们对团队成员有着最高的诚信和操作意识要求,但我们正在努力确保实施额外的保障措施,以防止此类事件再次发生。”
A review of the GitHub account and its exposed passwords show the “Private CISA” repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA. 对该 GitHub 账户及其泄露密码的审查显示,“Private CISA”存储库是由位于弗吉尼亚州杜勒斯的政府承包商 Nightwing 的一名员工维护的。Nightwing 拒绝置评,并将询问转交给 CISA。
CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018. CISA 尚未回应关于数据泄露持续时间的问题,但 Caturegli 表示,Private CISA 存储库创建于 2025 年 11 月 13 日。该承包商的 GitHub 账户则创建于 2018 年 9 月。
The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours. 在 KrebsOnSecurity 和 Seralys 通知 CISA 泄露事件后不久,包含 Private CISA 存储库的 GitHub 账户就被下线了。但 Caturegli 表示,泄露的 AWS 密钥在之后 48 小时内仍莫名其妙地保持有效。
CISA is currently operating with only a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across the agency’s various divisions. CISA 目前的运营预算和人员配置仅为其正常水平的一小部分。自特朗普第二届政府执政以来,该机构已流失了近三分之一的员工,这导致各部门出现了一系列提前退休、买断工龄和辞职的情况。
The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their reach after establishing initial access to a targeted system. 现已关闭的 Private CISA 存储库显示,该承包商还为多个内部资源使用了容易被猜到的密码;例如,许多凭据使用的密码由平台名称加上当前年份组成。Caturegli 表示,即使这些凭据从未在外部泄露,这种做法对任何组织来说都构成了严重的安全威胁,并指出威胁行为者在获得对目标系统的初步访问权限后,往往会利用内部网络中暴露的关键凭据来扩大其攻击范围。