This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- Voice cloning of growing interest to actors and cybercriminals
July 12, 2021
As voice cloning technology has become ever more effective, it is of increasing interest to actors… and cybercriminals. When Tim Heller first heard his cloned voice he says it was so accurate that “my jaw hit the floor… it was mind-blowing”. Voice cloning is when a computer program is used to generate a synthetic, adaptable copy of ...
- Lazarus Targets Job-Seeking Engineers with Malicious Documents
July 9, 2021
The notorious Lazarus advanced persistent threat (APT) group has been identified as the cybergang behind a campaign spreading malicious documents to job-seeking engineers. The ploy involves impersonating defense contractors seeking job candidates. Researchers have been tracking Lazarus activity for months with engineering targets in the United States and Europe, according to a report published online by ...
- Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign
July 8, 2021
A sophisticated campaign targeting large international companies in the oil and gas sector has been underway for more than a year, researchers said, spreading common remote access trojans (RATs) for cyber-espionage purposes. According to Intezer analysis, spear-phishing emails with malicious attachments are used to drop various RATs on infected machines, including Agent Tesla, AZORult, Formbook, Loki ...
- Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)
July 8, 2021
Last week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service – CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). Both vulnerabilities can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is ...
- Critical Sage X3 RCE Bug Allows Full System Takeovers
July 7, 2021
Four vulnerabilities afflict the popular Sage X3 enterprise resource planning (ERP) platform, researchers found – including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. Two of the bugs could be chained together to allow complete system takeovers, with potential supply-chain ramifications, they said. Sage X3 is targeted at mid-sized companies ...
- WildPressure targets the macOS platform
July 7, 2021
Our previous story regarding WildPressure was dedicated to their campaign against industrial-related targets in the Middle East. By keeping track of their malware in spring 2021, we were able to find a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant with the same version (1.6.1) and a set of modules that ...