Full Report
I wonder what's in 'external-secret-repo-creds.yaml' and 'AWS-Workspace-Firefox-Passwords.csv'?
Analysis Summary
# Incident Report: Exposure of CISA Infrastructure Secrets on Public GitHub
## Executive Summary
A publicly accessible GitHub repository titled "Private-CISA," managed by a CISA-affiliated contractor, exposed 844 MB of sensitive production infrastructure data for approximately six months. The leak included plain-text passwords, AWS/Azure credentials, and Kubernetes manifests. While CISA claims no evidence of compromise, the exposure provided a "full range" of attack paths, from ransomware to long-term supply chain persistence.
## Incident Details
- **Discovery Date:** May 14, 2026
- **Incident Date:** Approximately November 2025 – May 15, 2026 (6-month exposure)
- **Affected Organization:** Cybersecurity and Infrastructure Security Agency (CISA)
- **Sector:** Government / Cybersecurity
- **Geography:** United States
## Timeline of Events
### Initial Access (Exposure)
- **Date/Time:** Circa November 2025
- **Vector:** Improper Shadow IT / Misconfiguration
- **Details:** A contractor used a personal GitHub account to host a repository named "Private-CISA," which contained production-level backups and secrets.
### Lateral Movement (Potential)
- **Details:** While no breach was confirmed, the exposed credentials (JFrog Artifactory tokens, Entra ID SAML certs, and AWS GovCloud keys) would have allowed an attacker to move laterally across CISA’s build pipelines and cloud environment.
### Data Exfiltration/Impact
- **Details:** 844 MB of infrastructure material was publicly viewable. This included "external-secret-repo-creds.yaml," "AWS-Workspace-Firefox-Passwords.csv," and "Kube-Config.txt."
### Detection & Response
- **May 14, 2026:** Researcher Guillaume Valadon (GitGuardian) discovered the repo and reported it via the CERT/CC portal.
- **May 15, 2026 (Morning):** Report escalated to journalist Brian Krebs due to slow initial response.
- **May 15, 2026 (6:00 PM EST):** CISA took the repository offline.
## Attack Methodology
- **Initial Access:** Publicly exposed GitHub repository (Data Leak).
- **Persistence:** Exposed SSH keys and GitHub personal access tokens.
- **Privilege Escalation:** Azure registry keys and Entra ID (Active Directory) SAML certificates.
- **Defense Evasion:** Repository included an explicit "how-to" guide for disabling GitHub’s native secret scanning.
- **Credential Access:** Plain-text passwords in CSV files and YAML manifests.
- **Discovery:** Directory names like `Backup-April-2026/` and `LZ-Artifactory/` facilitated easy reconnaissance.
- **Lateral Movement:** Internal JFrog Artifactory tokens and Kubernetes configurations.
- **Collection:** 844 MB of production infrastructure code and backups.
- **Exfiltration:** Public web exposure (unintentional).
- **Impact:** Potential for total environment compromise or supply chain injection.
## Impact Assessment
- **Financial:** Unknown; potential costs related to rotating all leaked certificates and keys.
- **Data Breach:** Exposure of internal tokens, cloud secrets, and infrastructure schemas.
- **Operational:** Significant effort required to revoke/reissue Entra ID SAML certificates and cloud credentials.
- **Reputational:** High; the leading US cybersecurity agency failed to follow its own "Secure by Design" and "Secret Management" guidance.
## Indicators of Compromise
- **File indicators:**
- `external-secret-repo-creds.yaml`
- `AWS-Workspace-Firefox-Passwords.csv`
- `Kube-Config.txt`
- `Important AWS Tokens.txt`
- **Behavioral indicators:** Mix of CISA contractor email and personal Yahoo email addresses used in Git commits.
## Response Actions
- **Containment:** Repository taken offline within 26 hours of discovery.
- **Eradication:** Investigation launched to determine if credentials were used by unauthorized parties.
- **Recovery:** Likely mass revocation of all exposed tokens, keys, and certificates.
## Lessons Learned
- **Shadow IT Risks:** Use of personal GitHub accounts for government work bypassed organizational controls.
- **Secret Management Failures:** Storing passwords in CSVs and disabling secret scanning are fundamental security violations.
- **Response Latency:** Standard vulnerability disclosure channels (CERT/CC) were slower than media escalation for an incident of this magnitude.
## Recommendations
1. **GitHub Enterprise/Org Controls:** Prohibit the use of personal repositories for any agency-related code.
2. **Automated Secret Scanning:** Enforce mandatory, non-bypassable secret scanning on all repositories (internal and external).
3. **Hardened Credential Storage:** Move all secrets to a dedicated Vault (e.g., HashiCorp Vault, AWS Secrets Manager) instead of YAML/CSV files.
4. **Contractor Oversight:** Implement stricter audits of contractor development environments.