This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- Anubis Android Malware Returns with Over 17,000 Samples
July 8, 2019
The 2018 mobile threat landscape had banking trojans that diversified their tactics and techniques to evade detection and further monetize their malware — and in the case of the Anubis Android malware, retooled for other malicious activities. Anubis underwent several changes since it first emerged, from being used for cyberespionage to being retooled as a banking malware, combining information ...
- ‘Twas the night before
July 4, 2019
Recently, the United States Cyber Command (USCYBERCOM Malware Alert @CNMF_VirusAlert) highlighted several VirusTotal uploads of theirs – and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it’s important to restate yet again that we defend customers, and research malware and intrusions, regardless of their source. Accordingly, subscribers to ...
- Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
July 4, 2019
Since our last research on TA505, we have observed new activity from the group that involves campaigns targeting different countries over the last few weeks. We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines, and South Korea. This ...
- Sodin ransomware exploits Windows vulnerability and processor architecture
July 3, 2019
When Sodin (also known as Sodinokibi and REvil) appeared in the first half of 2019, it immediately caught our attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers. In a detailed analysis, we discovered that it also exploits the CVE-2018-8453 vulnerability to elevate privileges in Windows (rare among ransomware), and uses legitimate processor ...
- Making Intelligence Actionable: Cybersecurity Preparedness in the Credit Union Industry
July 3, 2019
As the threat landscape continues to evolve, organizations need to be increasingly proactive in their approach to cybersecurity. One industry that’s taken proactive measures toward cybersecurity preparedness is the credit union industry. Over the last couple of years, the National Credit Union Administration (NCUA) developed a tool called the Automated Cybersecurity Examination Tool (ACET) to help credit unions ...
- US Cyber Command issues alert about hackers exploiting Outlook vulnerability
July 2, 2019
US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks. The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday. The Outlook bug, discovered and detailed by security researchers from SensePost, allows a threat actor to escape from the Outlook ...