Greetings, all,
So, I was compromised by the current Sha1-Halud attack:
The visible outcome of the compromise was the creation of around 100 repos in my GitHub account. I deleted them, and also rotated my GitHub personal access tokens.
I did some reading about the Sha1-Halud worm and it apparently uses TruffleHog to scan the local file system looking for secrets. So, I installed TruffleHog to see if I could figure out what credentials the attackers obtained access to.
The good news is that none of my repos at GitHub contain secrets.
The bad news is that when I ran TruffleHog on my local filesystem, it found GCP-related secrets in my Flutter app directory. Hereβs a lightly edited example:
β
Found verified result π·π
(Verification info cached)
Detector Type: GCP
Decoder Type: PLAIN
Raw result: firebase-adminsdk-<blahblah>@ggc-app-<blahblah>.iam.gserviceaccount.com
Private_key_id: <blahblah>
Rotation_guide: https://howtorotate.com/docs/tutorials/gcp/
Project: <blahblah>
File: ggc-app-service-account.json
Line: 6
Analyze: Run `trufflehog analyze` to analyze this key's permissions
I am writing for insights about what to do next. My questions are:
-
Is it safe to rotate the GCP password and regenerate the ggc-app-service-account.json file? Or will doing this mean that my existing apps in the field will no longer have access to Google Cloud services?
-
What could I be doing differently to avoid this kind of attack in the future?
Note: I have rules in place for both Google Storage and Firebase that only allow access if the request comes from an authenticated user. That kind of credential is not on my filesystem.
Thanks for your insights.