This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- Amnesty International Canada intruder was in system for 17 months before detection
December 6, 2022
A suspected Chinese-based threat actor was in the IT system of Amnesty International Canada for 17 months before being detected, according to the head of the non-profit group. The Canadian branch of the human rights organization said in a news release Monday that the breach of security controls was detected in October. To its knowledge, this ...
- Four suspects cuffed, face extradition to US over tax refund scam plot
December 6, 2022
Four men suspected of plotting to commit wire fraud and identity theft have been arrested and now face extradition to America. It is alleged they conspired to break into US companies’ servers, steal people’s personally identifiable information (PII), use that info to file fraudulent tax returns to Uncle Sam, and collect victims’ tax refunds. In newly unsealed ...
- Russian VTB bank reports major DDoS attack on bank from overseas
December 6, 2022
VTB’s technical infrastructure is currently under a major cyberattack from abroad. The bank’s customers may face temporary problems when using the application and the web version of VTB online due to the measures in tackling the attack that are in progress, the press service of Russia’s second-biggest lender reported on Tuesday. “VTB’s technological infrastructure is currently ...
- Ransomware hits city of Antwerp
December 6, 2022
Cybercriminals infected the city’s IT systems with ransomware. Residents are unable to make appointments for public affairs. Antwerp’s police and museums are partially offline. The attack took place on the night of December 5-6. A city spokesperson told De Standaard that ransomware was found on several systems. The identity of the attacker(s) is unknown at the ...
- KmsdBot botnet is down after operator sends typo in command
December 6, 2022
Somewhere out there, a botnet operator is kicking themselves and probably hoping no one noticed the typo they transmitted in a command that crashed their whole operation. Unfortunately for the typographically-challenged botnetter, it happened on the internet, so someone knows: Akamai, in this case, had been watching for some time. Even worse for the operator(s), their Golang-coded ...
- Google warns stolen Android keys used to sign info-stealing malware
December 5, 2022
Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties. Googler Łukasz Siewierski found and reported the security issue and it’s a doozy that allows malicious applications signed with one of the compromised certificates to gain the same level of ...