This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- Who tracked internet users in 2021–2022
November 25, 2022
Every time you go online, someone is watching over you. The services you use, the websites you visit, the apps on your phone, smart TVs, gaming consoles, and any networked devices collect data on you with the help of trackers installed on web pages or in software. The websites and services send this data to ...
- Google pushes emergency Chrome update to fix 8th zero-day in 2022
November 25, 2022
Google has released an emergency security update for the desktop version of the Chrome web browser, addressing the eighth zero-day vulnerability exploited in attacks this year. The high-severity flaw is tracked as CVE-2022-4135 and is a heap buffer overflow in GPU, discovered by Clement Lecigne of Google’s Threat Analysis Group on November 22, 2022. “Google is aware ...
- Meta links US military to fake social media influence campaigns
November 24, 2022
In its latest quarterly threat report, Meta said it had detected and disrupted influence operations originating in the US, and it calls out those it believes are responsible: the American military. Meta said it picked up on three major covert influence operations on its platforms in the third quarter of the year, the first of which ...
- UK: Government departments ordered to stop installing cameras made by Chinese firms in ‘sensitive sites’
November 24, 2022
Government departments have been told to stop installing cameras made by Chinese firms in “sensitive sites”. They have also been urged to disconnect Chinese-made devices from core computer networks and to consider removing them altogether, amid security concerns. The Government Security Group has said that since companies in China have to comply with the country’s national intelligence ...
- European Parliament Putin things back together after cyber attack
November 24, 2022
The European Parliament has experienced a cyber attack that started not long after it declared Russia to be a state sponsor of terrorism. The attack appears to have made part of the Parliament’s website inoperable and made access impossible for a few hours. A pro-Russian group called KILLNET appears to have claimed responsibility for the attack in ...
- Ducktail hackers now use WhatsApp to phish for Facebook Ad accounts
November 23, 2022
A cybercriminal operation tracked as Ducktail has been hijacking Facebook Business accounts causing losses of up to $600,000 in advertising credits. The gang has been spotted before using malware to steal Facebook-related information and hijack associated business accounts to run their own ads that are paid for by the victim. Believed to be the work of a ...