1. InfoconDB
  2. Security BSides
  3. BSidesLV 2023
  4. The Dark Playground of CI/CD: Attack Delivery by GitHub Actions

The Dark Playground of CI/CD: Attack Delivery by GitHub Actions

Presented at BSidesLV 2023, Aug. 8, 2023, 11:30 a.m. (20 minutes)

GitHub provides an official CI/CD feature called GitHub Actions. While this feature is convenient for developers, it may also offer an attractive attack vector for attackers, motivating us to research the potential for attacks using GitHub Actions. This study investigates known attack techniques already used by attackers and includes unknown attacks not yet observed in the wild. Attacks abusing the features of custom action and self-hosted runner have not been previously used by attackers nor published by researchers; our research has uncovered new attack vectors. In this presentation, we will demonstrate the attack techniques we developed, "Malicious Custom Action" and "GitHub Actions C2", including code explanation and demos, and share our research findings on threats "Free Jacking", "Malicious Public PR&Fork" and "Theft of Secret". Furthermore, we will discuss the systematization of these attacks based on two perspectives: GitHub's features and threat levels. Other CI/CD services have similar features to GitHub, which means these attacks could be abused other than GitHub. By discovering threats in CI/CD, we hope to enhance the overall security of these services. Regarding this research, we have been in contact with GitHub and are taking steps towards information disclosure and countermeasures.

Presenters:

  • Kiyohito Yamamoto
    Kiyohito Yamamoto has 8 years of experience as a Security Engineer at NTT Communications, Japanese Telecommunication Company, and is also NTT Group Certified Security Principal. He served as a Senior Response Expert during the Tokyo Olympics and also conducted TLPT tests.
  • Yusuke Kubo
    Yusuke Kubo works as an Offensive Security Researcher at NTT Communications, Japanese Telecommunication Company, and is also NTT Group Certified Security Principal. His responsibilities include researching attack techniques and providing RedTeam for internal. And he contoributed to MITRE ATT&CK regarding Safe Mode Boot(T1562.009).

Links:

Similar Presentations: