Forgot your password?
Close
typodupeerror

Submission + - CISA Admin Leaked AWS GovCloud Keys on Github (krebsonsecurity.com)

Submitted by ArchieBunker
ArchieBunker writes: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.

Philippe Caturegli, founder of the security consultancy Seralys, said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

“The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli observed. “The available Git metadata alone does not prove which endpoint or device was used.”

Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.

“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation.

“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

A review of the GitHub account and its exposed passwords show the “Private CISA” repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA.

CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018.

The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.

CISA is currently operating with only a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.

The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their reach after establishing initial access to a targeted system.

“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”

Comment Education fads (Score 1) 132

The blame for this falls squarely on the politics surrounding education fads. We abandon the boring things that work in favor for the new exciting crap that doesn't. And it's not because anyone really thinks it works, but because there are billions behind the new crap.

Parental apathy factors into this as well, no doubts.

We know what works, so ask yourself why we aren't using it.

Comment Re:Huge disconnect (Score 1) 193

The question I have here is based on what?

Based on my analysis of their needs and what AI can deliver. I agree that it's management's job to increase efficiency and output, but change for change's sake is never good. For instance, in the examples above I *knew* what AI would deliver. I told them, in no uncertain terms, what product they'd receive. They still made the decision to push ahead ( and I'm more than willing to cash that check ). I can see, objectively and by any metric, that what was delivered is a worse customer experience than what they had before.

However, because it's "AI", that makes it acceptable. The buzzword has effectively disabled the rational and critical thinking parts of this management's teams brains. Of course I have seen this before ( First rule of IT: Vendors lie, Second rule of IT: Managers believe them ), but to this extent? Especially in smaller businesses, where margins are tighter. For what they're paying for this AI solution ( ha, "solution" ), they could afford to hire another staff member; another person on the phones, and far more capable than AI in delivering the ultimate product ( caring for the patient ).

Mind you; I pointed all this out to them. They know the math, but they are so...enamored with AI that it doesn't mean anything to them. Meanwhile, patients and staff hate it.

I'm sure there's AI use cases out there which deliver a decent ROI. What I'm seeing in the field, however, is management hysteria for the latest thing at a scale I've never before experienced.

I shouldn't complain, it's paying extremely well, but I know this will all come crashing down at some point.

Comment Re:Huge disconnect (Score 4, Interesting) 193

I've been through more than a few technology cycles, so while I don't necessary disagree with you, the scale of the disconnect between the worker bees and management is more significant than I ever remember.

It's becoming exceedingly difficult to dissuade management from AI courses of action, even when they make no sense or will end up delivering a substandard product for significantly higher cost.

For instance, I just had a client implement an AI auto-attendant for a medical office. Were they having difficulties answer the phone in a timely manner? No. Do they anticipate a staffing shortage that would cause such an issue? No. Will the auto-attendant be able to accomplish what a regular worker can? No. In fact, it can pretty much only answer the phone and find someone for the caller to talk to.

But by god, management had to have it. So, for an extra 2000 a month they get a middle man that delays delivering service to patients. Management loves it. Folks answering the calls hate it because the patients hate it.

Different office asked about AI curated music. Another client asked about replacing our network monitoring software with AI so their IT staff can stop working after hours. They both will end up getting their wish, and at least in the case of the network monitoring solution it's going to cause so many issues I'm having them sign a waiver before I implement; I won't be held responsible when the AI agent is rebooting servers randomly because it thinks they're offline.

Comment Huge disconnect (Score 5, Interesting) 193

More than any other IT fad over the past 2 decades, I've noticed AI has really divided "decision makers" and "makers/workers". Those of us in the trenches making things work are highly skeptical of AI and treat it much as we have any other "flash in the pan" technology; weary, willing to test/play with it, but disbelieving of the hype.

The decision makers though...whoooboy, they've bought into the tech hook, line and sinker. They want AI everything, even in places it makes no sense. They can't define what they want AI to do, or how it's supposed to do it, but by god they will sign away millions of dollars in pursuit of their golden cow.

The only time I really saw anything like this was with "Teh Cloudz!", but even then it was tempered by practicality. AI? It's magic beans, all the way down.

Comment Re:Proxmox FTW (Score 1) 54

There are two issues I have with Ceph:

1) management complexity. Proxmox is pretty easy to manage, very little to surprised a seasoned admin. Ceph, while easy to implement, can be deceptively difficult to administrate if something goes sideways. I usually recommend small businesses avoid it if at all possible.

2) SANs are often faster. Ceph has enough overhead to be noticable.

That said, it is a very nice feature and well worth learning how to administrate if you're already a linux admin. If you are going to use ceph, I highly stress at least a dedicated 10g network JUST for ceph.

Comment So...what's the alternative? (Score 1) 79

by grasshoppa (#66064064) Attached to: Vizio TVs Now Require Walmart Accounts For Smart Features

Everyone's (rightfully) bitching about this, and I agree, but none of that solves the problem.

What's the alternative? Give me a TV brand that gives you, ideally, a dumb TV, but alternatively a decent smart TV that is easy to work with.

Responsiveness is an important, and often overlooked, characteristic. It's important.

Brand/model recommendations; go!

Slashdot Top Deals

Last yeer I kudn't spel Engineer. Now I are won.

Close