This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- New Platypus attack can steal data from Intel CPUs
November 10, 2020
A team of academics has disclosed today a new attack method that can extract data from Intel CPUs. Named Platypus, an acronym for “Power Leakage Attacks: Targeting Your Protected User Secrets,” the attack targets the RAPL interface of Intel processors. RAPL, which stands for Running Average Power Limit, is a component that allows firmware or software applications ...
- A Closer Look at the Web Skimmer
November 9, 2020
The formjacking attack has been one of the fastest-growing cyberattacks in recent years. As explained in our previous blog, “Anatomy of Formjacking Attacks,” the formjacking attack is easy to deploy but hard to detect. It has gained popularity among threat actors, especially against e-commerce websites. Between May and September 2020, we detected an average of ...
- Ghimob: a Tétrade threat actor moves to infect mobile devices
November 9, 2020
Guildma, a threat actor that is part of the Tétrade family of banking trojans, has been working on bringing in new techniques, creating new malware and targeting new victims. Recently, their new creation, the Ghimob banking trojan, has been a move toward infecting mobile devices, targeting financial apps from banks, fintechs, exchanges and cryptocurrencies in ...
- An Old Joker’s New Tricks: Using Github To Hide Its Payload
November 9, 2020
The Joker malware has consistently plagued mobile users since its discovery in 2017. In January 2020, Google removed 1700 infected applications from the Play Store — a list that grew over three years. More recently, in September, security company Zscaler found 17 samples that were uploaded to the Google Play Store. Joker has been responsible ...
- Compal, the second-largest laptop manufacturer in the world, hit by ransomware
November 9, 2020
Compal, a Taiwanese electronics company that builds laptops for some of the world’s largest computer brands such as Apple, Acer, Lenovo, Dell, Toshiba, HP, and Fujitsu, suffered a ransomware attack over the weekend. Responsible for the breach is believed to be the DoppelPaymer ransomware gang, according to a screenshot of the ransom note shared by Compal ...
- xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunnelling for C2
November 9, 2020
The xHunt campaign has been active since at least July 2018 and we have seen this group target Kuwait government and shipping and transportation organizations. Recently, we observed evidence that the threat actors compromised a Microsoft Exchange Server at an organization in Kuwait. We do not have visibility into how the actors gained access to ...