Presented at
BSidesLV 2023,
Aug. 8, 2023, 11:30 a.m.
(20 minutes).
GitHub provides an official CI/CD feature called GitHub Actions. While this feature is convenient for developers, it may also offer an attractive attack vector for attackers, motivating us to research the potential for attacks using GitHub Actions.
This study investigates known attack techniques already used by attackers and includes unknown attacks not yet observed in the wild. Attacks abusing the features of custom action and self-hosted runner have not been previously used by attackers nor published by researchers; our research has uncovered new attack vectors.
In this presentation, we will demonstrate the attack techniques we developed, "Malicious Custom Action" and "GitHub Actions C2", including code explanation and demos, and share our research findings on threats "Free Jacking", "Malicious Public PR&Fork" and "Theft of Secret". Furthermore, we will discuss the systematization of these attacks based on two perspectives: GitHub's features and threat levels.
Other CI/CD services have similar features to GitHub, which means these attacks could be abused other than GitHub. By discovering threats in CI/CD, we hope to enhance the overall security of these services. Regarding this research, we have been in contact with GitHub and are taking steps towards information disclosure and countermeasures.
Presenters:
-
Yusuke Kubo
Yusuke Kubo works as an Offensive Security Researcher at NTT Communications, Japanese Telecommunication Company, and is also NTT Group Certified Security Principal. His responsibilities include researching attack techniques and providing RedTeam for internal. And he contoributed to MITRE ATT&CK regarding Safe Mode Boot(T1562.009).
-
Kiyohito Yamamoto
Kiyohito Yamamoto has 8 years of experience as a Security Engineer at NTT Communications, Japanese Telecommunication Company, and is also NTT Group Certified Security Principal. He served as a Senior Response Expert during the Tokyo Olympics and also conducted TLPT tests.
Links:
Similar Presentations: