Shadow IT – the systems your security team doesn’t know about – is a persistent challenge. Policies may ban them, but unmanaged assets inevitably slip through. And if defenders don’t uncover them first, there’s always a risk attackers will.
With just a few days of effort, Intruder’s security team uncovered multiple real-world examples of Shadow IT exposures: unsecured backups, open Git repositories, unauthenticated admin panels, and more.
Every one of them contained highly sensitive data or credentials, and none required advanced exploitation.
Finding the Targets
One of the most effective ways to uncover Shadow IT is subdomain enumeration. Developers may deploy new systems at will, but to make them accessible they almost always require a subdomain.
We turned to Certificate Transparency (CT) logs, a public ledger of issued TLS certificates. By running wildcard queries and searching for common keywords like “git”, “backup”, or the names of popular software, we quickly uncovered approximately 30 million hosts to work with.
From there, we used a combination of fingerprinting techniques and automated screenshots to determine which hosts were interesting or likely vulnerable. Within days, we had a list of systems exposing critical weaknesses – the kind that attackers routinely exploit at scale.
When Assets Hide, Intruder Seeks
Intruder automatically discovers unknown assets and scans them for exposures before attackers can take advantage – so you can fix real risks fast and stay secure.
Make shadow IT visible. Discover your attack surface with Intruder.
What We Found (In Just a Few Days of Testing)
Vulnerability scanning is ineffective if you don’t know what’s exposed in the first place. Attack surface management solutions like Intruder provide cover on both fronts, helping teams automatically uncover hidden assets and then scanning them for vulnerabilities.
The vulnerabilities that follow are all real exposures on publicly accessible hosts.
Exposed Backups
Backups were among the easiest exposures to uncover. Many backup-related subdomains openly listed directory contents, often with backup archives available for anyone to download.
From just a small sample, we found active credentials and website source code, along with complete database dumps. In one case, the archive even contained hardcoded tokens – including FTP credentials that were still valid at the time of testing.
This kind of exposure is one of the simplest for any vulnerability scanner to detect, but if the host is Shadow IT and never makes it into your vulnerability management program, it stays invisible – even as it sits exposed to the internet.
Secrets in Public Git Repositories
Unsecured Git repositories are another common source of sensitive data. Even if credentials or secret files are removed from the active codebase, they often persist in Git history indefinitely unless properly purged.
Many organizations also host their own Git servers to retain control over proprietary code. In one case, we identified an exposed Git server containing the source code of an LLM marketplace application.
The repository was completely open, and poor developer hygiene meant it contained secrets for external services – including Redis, MySQL, OpenAI, and more. These tokens were still active at the time of testing.
Leaving a code repository exposed to the internet is a simple misstep, but one with serious consequences. The key is catching these exposures yourself, before someone else does.
Admin Panels With No Locks on the Door
Exposed admin panels are another recurring issue. Even when protected by a login page, placing an admin interface directly on the internet expands the attack surface. But in some cases we found panels that required no authentication at all.
When scanning for terms like “Elasticsearch” and “logging,” we uncovered a significant number of logging and monitoring systems exposed online.
While most required credentials, many did not – and some had been open for so long that evidence of attacker activity was already present, including ransom notes on Elasticsearch instances.
The data accessible through these systems was highly sensitive: infrastructure logs, secrets, application data (including user-generated content), and even chatbot messages. Left unauthenticated, these panels gave away the kind of detail attackers look for to move deeper into a network.
Large-Scale Propagated Misconfiguration
Subdomain enumeration also revealed a large-scale case of propagated misconfigurations. While investigating one hosting provider, we identified around 100 customer domains all exposing the same vulnerability – publicly accessible backup files containing application source code, user files, and database copies.
Viewed individually, each domain looked like a single oversight. But enumeration made the pattern clear: a systemic issue being replicated across an entire customer base.
By stepping back and connecting the dots, we were able to see the full scope of the exposure and report it to the provider.
What This Means for Your Attack Surface
Shadow IT creates blind spots, but they don’t have to stay hidden. Defenders can detect weaknesses before they’re exploited by:
Continuously enumerating subdomains to catch new systems before attackers do
Feeding newly discovered assets into their vulnerability management program so nothing slips through the cracks
Intruder takes care of this automatically, discovering unknown assets and scanning them for exposures so you can act fast.
Book a demo to see how Intruder uncovers exposures before they become breaches.
Author bio:
Written by Benjamin Marr, Security Engineer at Intruder
Ben is a Security Engineer at Intruder, where he automates offensive security scanning and carries out security research. His background is as an OSWE certified penetration tester and PHP software engineer.
Sponsored and written by Intruder.
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________
