SecuritySupply Chain

GitHub Actions Under Attack: Credential Stealing Malware Injected into Popular Tools

3 months agoUS
GitHub Actions Under Attack: Credential Stealing Malware Injected into Popular ToolsSource: wiz.io
Recent supply chain attacks have targeted widely-used GitHub Actions, including those for the Trivy vulnerability scanner and Checkmarx KICS, injecting credential-stealing malware. These compromises pose a significant risk to CI/CD pipelines, potentially exposing sensitive secrets.

Key Insights

Trivy Compromised Again:: The `aquasecurity/trivy-action` and `aquasecurity/setup-trivy` GitHub Actions were compromised, leading to the injection of a credential stealer. All tags from 0.0.1 through 0.34.2 were affected for approximately 12 hours. Why this matters: This is the second compromise of the Trivy ecosystem in a short period, highlighting the increasing risk of supply chain attacks.

Checkmarx KICS Affected:: The Checkmarx KICS GitHub Action was also compromised with credential-stealing malware. Between 12:58 and 16:50 UTC on March 23rd, compromised tags served malware to users. Why this matters: This indicates a broad targeting of security tools, making it crucial to verify the integrity of all dependencies.

TeamPCP Involvement:: Evidence suggests the involvement of the TeamPCP threat actor, known for cloud-native cybercrime, in these attacks. The malware used naming conventions and an RSA public key consistent with previous TeamPCP operations. Why this matters: This suggests a sophisticated and persistent attacker targeting cloud infrastructure.

Compromised npm Packages:: Stolen credentials from the Trivy compromise were used to compromise several npm packages with a self-propagating worm. Why this matters: This demonstrates the cascading impact of supply chain attacks, where compromised credentials can lead to further breaches.

In-Depth Analysis

The attacks involved injecting malicious code into existing GitHub Action tags, redirecting them to compromised commits. This allowed attackers to distribute malware through trusted sources. The malware harvested environment variables, SSH keys, cloud service provider credentials, database credentials, and cryptocurrency wallets. Exfiltration occurred via HTTP POST requests to attacker-controlled domains, with a fallback mechanism of creating a public repository named `tpcp-docs` on the victim's GitHub account.

StepSecurity's Harden-Runner detected anomalous outbound connections to the attacker's C2 domain, `scan.aquasecurtiy.org&ref=yanuki.com`, in workflow runs across multiple open-source projects. Aqua Security has released advisories with indicators of compromise (IOCs) and recommended actions.

Compromised artifacts include:

OpenVSX Extensions: `ast-results-2.53.0.vsix` and `cx-dev-assist-1.7.0.vsix`

Checkmarx Util: `checkmarx-util-1.0.4.tgz`

Environment Auth Checker: `environmentAuthChecker.js`

Mitigation steps include auditing KICS GitHub Actions references, searching for exfiltration artifacts, and pinning GitHub Actions to full SHA hashes instead of version tags.

FAQs

Q: What actions should security teams take?

Security teams should audit KICS GitHub Actions references, search for exfiltration artifacts, and implement long-term hardening measures.

Q: How can I identify compromised credentials?

Review workflow run logs and network logs for connections to `scan.aquasecurtiy.org&ref=yanuki.com` or IP address `45.148.10.212`. Check GitHub accounts for repositories named `tpcp-docs`.

Key Takeaways

Verify Dependencies:: Regularly audit and verify the integrity of all dependencies in your CI/CD pipelines.

Rotate Secrets:: If you suspect you were running a compromised version of Trivy or KICS, treat all pipeline secrets as compromised and rotate them immediately.

Pin SHA Hashes:: Pin GitHub Actions to full, immutable commit SHA hashes instead of version tags to avoid tag poisoning attacks.

Monitor Network Connections:: Monitor outbound network connections from your CI/CD environment for suspicious activity.

Discussion

Do you think these supply chain attacks will continue to increase? Let us know in the comments below! Share this article with others who need to stay ahead of this trend!

View Original Source

Related Articles

NPM Packages Hijacked in Large-Scale Supply Chain AttackSource: cointelegraph.com
SecuritySupply Chain

NPM Packages Hijacked in Large-Scale Supply Chain Attack

A large-scale supply chain attack has compromised NPM packages, impacting over 2.6 billion weekly downloads. Attackers injected malicious co...

9 months ago

⚠ Disclaimer: Yanuki provides article summaries and links for reference only. Yanuki does not endorse, verify, or guarantee the accuracy of third-party sources. Please review original sources and verify information independently. Managed by the Yanuki Data Engine. Full Disclaimer