cyber security

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a troubling scenario: client-specific secrets were leaked from Atlassian’s code repository tool, Bitbucket, and exploited by threat actors to gain unauthorized access to AWS accounts.

This revelation highlights the potential vulnerabilities in Bitbucket’s Secured Variables.

These variables can be leaked in CI/CD pipelines, exposing organizations to significant security risks.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Bitbucket and CI/CD Secrets

Bitbucket, an Atlassian code hosting platform, includes a built-in continuous integration and delivery/deployment (CI/CD) service known as Bitbucket Pipelines.

This service is commonly used to deploy and maintain AWS resources.

According to Google Cloud Blog, Bitbucket’s administrative function, “Secured Variables,” allows administrators to store CI/CD secrets, such as AWS keys, directly in Bitbucket for easy reference by code libraries.

CI/CD secrets are crucial for authentication and authorization within CI/CD pipelines, providing the credentials for pipelines to interact with platforms like AWS.

These secrets are precious to attackers as they offer direct access to an environment.

Balancing the confidentiality of these secrets with ease of use for developers is a constant challenge in securing CI/CD pipelines.

Exporting Secrets from Bitbucket

CI/CD pipelines, like household plumbing, are complex orchestrations of events designed to accomplish specific tasks.

While they offer developers numerous possibilities for automating work, they can also be a source of anxiety for security professionals.

A single line of code with a hardcoded secret or a developer accidentally storing secrets locally can lead to significant security breaches.

Although Bitbucket’s secured variables are convenient for storing secrets locally, they have a concerning characteristic—they can be exposed in plain text through artifact objects.

If a Bitbucket variable, secured or not, is copied to an artifact object using the artifacts: command, the result is a .txt file with the variable’s value displayed in plain text.

Reproducing the Secret Leak

To recreate the secret leak in a Bitbucket environment, follow these steps:

  1. Establish Secured Variables in Bitbucket: Set secured variables at the repository or workspace level.
  1. Update the bitbucket-pipelines.yml File: Execute the printenv command to copy all environment variables to a .txt file called environment_variables.txt. This file is then passed to a Bitbucket artifact object for use in future pipeline stages.
  1. Navigate to the Pipeline Execution History and Download the Artifact: Access the pipeline execution history and download the artifact.
  1. Open the Artifact and Search for Secured Variables: After exporting the .txt file, secrets can be read in plain text among all the variables in the Bitbucket environment.

Once secrets are printed to the environment_variables.txt file, they can flow out of Bitbucket through the pipeline and become exposed.

This exposure can result from development mistakes, malicious intent, or accidental disclosure, leading to misuse by threat actors.

To protect your secrets when using Bitbucket Pipelines:

  • Store secrets in a dedicated secrets manager and reference those variables in your Bitbucket repository code.
  • Closely review Bitbucket artifact objects to ensure they do not expose secrets as plain text files.
  • Deploy code scanning throughout the pipeline lifecycle to catch secrets stored in code before deployment to production.

This case study is not an indictment against Bitbucket but a reminder of how seemingly innocuous actions can lead to serious security issues.

A single keystroke, line of code, or misconfiguration can cause a slow, untraceable leak of secrets through your pipeline, exposing them to the world.

Organizations must remain vigilant and implement robust security measures to safeguard their CI/CD environments.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt…

2 days ago

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a threat actor to read sensitive files…

2 days ago

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes. Resecurity researchers have recently revealed that…

2 days ago

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million Ecuadorian citizens. The announcement was made…

2 days ago

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery efforts following a recent cybersecurity breach.…

3 days ago

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection for Amazon Simple Storage Service (Amazon…

3 days ago