This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- PurpleFox Using WPAD to Target Indonesian Users
July 1, 2021
In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal. Recently, we found that PurpleFox ...
- Trickbot cybercrime group linked to new Diavol ransomware
July 1, 2021
FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet. Diavol and Conti ransomware payloads were deployed on different systems in a ransomware attack blocked by the company’s EDR solution in early June 2021. The two ransomware families’ samples are cut from the same cloth, ...
- Detecting unknown threats: a honeypot how-to
June 30, 2021
Catching threats is tricky business, especially in today’s threat landscape. To tackle this problem, for many years сybersecurity researchers have been using honeypots – a well-known deception technique in the industry. Dan Demeter, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team and head of Kaspersky’s honeypot project, explains what honeypots are, why they ...
- Cobalt Strike Usage Explodes Among Cybercrooks
June 29, 2021
The use of Cobalt Strike – the legitimate, commercially available tool used by network penetration testers – by cybercrooks has shot through the roof, according to Proofpoint researchers, who say that the tool has now “gone fully mainstream in the crimeware world.” The researchers have tracked a year-over-year increase of 161 percent in the number of ...
- Russian hackers had months-long access to Denmark’s central bank
June 29, 2021
Russian state hackers compromised Denmark’s central bank (Danmarks Nationalbank) and planted malware that gave them access to the network for more than half a year without being detected. The breach was part of the SolarWinds cyber espionage campaign last year that the U.S. attributed to the Russian Foreign Intelligence Service, the SVR, through its hacking division ...
- New ransomware highlights widespread adoption of Golang language by cyberattackers
June 29, 2021
A new ransomware strain that utilizes Golang highlights the programming language’s increasing adoption by threat actors. CrowdStrike secured a sample of a new ransomware variant, as of yet unnamed, that borrows features from HelloKitty/DeathRansom and FiveHands. These ransomware strains are thought to have been active since 2019 and have been linked to attacks against the maker of ...