HTTPS over HTTP: A Supply Chain Attack on Azure DevOps Server 2020


The need for data encryption during transmission has paved the way for organizations to rely on TLS — not just for sending data through the internet, but even within trusted corporate environments. Without the use of TLS or SSL, the authenticity of transmitted data and the identity of endpoint can’t be verified.

In this blog, we provide the technical details of a supply chain attack on an improperly configured Azure DevOps Server 2020, specifically in the continuous integration and continuous delivery (CI/CD) Pipeline Agent communicating without TLS. We have reached out to Microsoft prior to the publication of this blog. We feature their best practice recommendations to help mitigate this risk.

Azure DevOps Server 2020: A Brief Overview
Azure DevOps Server, previously called Visual Studio Team Foundation Server, is an on-premises software that is used for reporting, requirements management, project development, automated builds, project management, and CI/CD.

Read more…
Source: Trend Micro