• tl;dr sec
  • Posts
  • [tl;dr sec] #232 - GitHub Actions Cache Poisoning, Rust Red Team Tools, Prioritizing Detections

[tl;dr sec] #232 - GitHub Actions Cache Poisoning, Rust Red Team Tools, Prioritizing Detections

Subtly tamper with GHA builds, repo with offense-focused Rust PoCs, how to prioritize a detection backlog

Hey there,

I hope you’ve been doing well!

🌴 Florida Man

This week I’m in Florida with my mom and siblings.

If you’re from the Midwest, Florida is a common place to go for spring break or vacation.

If you’re not from the U.S., you might not but should know of the “Florida Man” memes, which highlight newspaper articles with titles like, “Florida man kidnaps scientist to make his dog immortal,” or “Florida man claims he only drank at stoplights, and not while driving.”

Anyway.

I have many fond memories of visiting as a kid: biking everywhere, making sand castles on the beach, jet skiing at max speed and almost flying off, having my alabaster skin turn red from 15 minutes outside without SPF 100.

Even though my father passed away over ten years ago, I still feel echoes of those playful times and memories now.

I hope you have places like that too.

Right now, I’m finishing up this newsletter as the rest of my family sleeps.

Tomorrow, I’m going to put on sunscreen like football coaches get Gatorade’d and hit the beach (outside of peak hours).

Have a great rest of your week!

🎙️ tl;dr sec Podcast?

Quick question- would an audio version of this newsletter be useful to you?

The same content, but you could listen on the go, while doing chores, to avoid awkward silences with your partner, etc. (coming soon: tl;dr relationships)

How do you feel about an audio version of this newsletter?

Login or Subscribe to participate in polls.

Sponsor

📣 iVerify Basic is now on Android! 

Android users can now access the same mobile security protections that made iVerify Basic a popular iOS app among security professionals. Plus, we’ve added our unique Threat Hunting capabilities that root out zero-day attacks and misbehaving apps! No other mobile security app gives users this level of protection from new threats still unknown to app developers or OEMs. Deeper threat hunting and analysis capabilities are available to Enterprise users by contacting [email protected].

If you’re not familiar, iVerify is a spin-off company from the boutique consulting firm Trail of Bits, whose work tl;dr sec regularly highlights. They were doing neat mobile security research, built a mobile app that became very popular, and its now its own company! iVerify was also invested in by The Chainsmokers 🤯 

AppSec

Employee Personal GitHub Repos Expose Internal Azure and Red Hat Secrets
Yakir Kadkoda and Assaf Morag share that in their research most (66%) of the valid secrets they found were under personal employee GitHub repositories or with external contractors, highlighting the value of scanning not just company-owned repos. They then walk through examples including finding privileged Azure container registry tokens and Red Hat container registry tokens.

Fine-tuning Semgrep for Ruby Security: Pundit and SQL injection
Siddarth Adukia shares new open-source Semgrep rules for Ruby, and offers a great guide to identifying a SAST shaped problem, coming up with a Semgrep rule, and then tuning that rule to reduce false positives and ensure accuracy. “I was able to find a significant number of IDORs and access control issues in a codebase I audited with this rule.”

TIL: if sanitize_sql (or similar) is called with just one parameter, it is likely a SQL injection bug! Also, note that Semgrep is AST-aware, the blog post is incorrect.

Endpoint vulnerability management at scale
Santiago Gutiérrez describes how Canva handles endpoint vulnerability management across over 5000 devices by: collaboratively defining SLAs and responsibilities with stakeholders (e.g. IT), getting app inventory and vulnerability data (from Sentinel One, or tools like os query), using MDM to manage updates for ~70 apps, storing data in Snowflake, and more.

Santiago shares a number of useful charts they created (queries used and sample data on Github, including: tracking vulnerabilities by severity over time, top widespread vulnerable applications, vulnerability age through time, and widespread managed vulnerable applications out of SLA.

Future work: use exploitability during vulnerability assessment (e.g. leveraging CISA's Known Exploited Vulnerability catalog (KEV)), require devices with high severity vulnerabilities to apply patches before accessing sensitive data, etc.

Sponsor

📣Join the Open Cloud Security Movement!

When it’s time to secure their cloud environments, AWS itself recommends Prowler Open Source. Prowler gives you the tools to oversee and secure your cloud environment openly. Why hide behind closed doors when you can empower your team with a security tool that’s open for all to see and improve? Embrace a transparent approach to AWS security with Prowler Open Source.

👉️ Try Now! 👈️

Prowler is one of the most popular open source cloud security tools. I love seeing all of the development/community built around OSS security tools🤘 

Cloud Security

lirlia/prel
An application that temporarily assigns Google Cloud IAM Roles and includes an approval process.

Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs
Mitiga’s Gavriel Fried covers the basics of GCP logs for forensic investigations, the types of logs (cloud audit, service, agent, and network logs), the four main identity types (user accounts, service accounts, service agents, and workload identities), how service accounts are used and impersonated, and how to analyze log components.

IAM Is The Worst
Mathew Duggan eloquently lays out why I feel a deep unshakeable sadness in my soul when I think of cloud permissions, discussing the complexity of IAM in AWS and GCP, and a potential solution: automatically restricting app and user permissions based on actual usage over say 30 or 90 days, and being able to temporarily grant additional access. GCP and AWS provide functionality for the former (see also Netflix’s RepoKid), and a number of OSS and commercial products (see Segment’s Access Service, or Discord’s) exist for the latter.

Delete unused AMIs using the new 'LastLaunchedTime' attribute
Steffen Gebert shares helpful CLI commands and scripts to delete unused AMIs and EBS snapshots using the ‘LastLaunchedTime’ attribute.

One trick I liked from the one-liners he shares is he has them initially just echo out the state-changing command that would have been run, so that you can run it and manually verify the output, and then remove the echo to actually run it once you are confident. Nice!

Really: Policy language for infra that doesn't suck
Resourcely's Travis McPeak announces Really: a new policy language and enforcement engine designed to simplify the creation and maintenance of cloud infrastructure policies, replacing the complex and time-consuming Rego language.

Disclaimer: I'm an angel investor in Resourcely because I've been a fan of the founders for a number of years and I believe secure defaults/guardrails (preventing classes of vulnerabilities by construction) are the future of security.

Container Security

Monitoring your EKS clusters audit logs
Sysdig's Thomas Labarussias announces the first release of the Falco plugin for EKS Audit Logs, k8saudit-eks, which makes it easier to use Falco to monitor Kubernetes audit logs by continuously pulling and scanning CloudWatch logs.

A step-by-step guide to securely upgrading your EKS clusters
Fairwind's Stevie Caldwell provides a detailed guide to upgrading AWS Elastic Kubernetes Service (EKS) clusters, including how often to upgrade Kubernetes (the community provides security fixes and bug patches for the three most recent minor versions), an upgrade sequence and checklist, and useful open source tools like Pluto, which can find deprecated Kubernetes API versions in your code repositories and Helm releases (see also: KubePug/Deprecations, and GoNoGo, which can check if add-ons installed with Helm are safe to upgrade.

Supply Chain

The Monsters in Your Build Cache - GitHub Actions Cache Poisoning
Adnan Khan describes how attacker with code execution within a main branch workflow, through a Pwn Request vulnerability or a compromised dependency, can obtain the workflow's CacheServerUrl and AccessToken, allowing them to inject malicious code into build cache files that will later be ran. This would allow the attacker to tamper with a SLSA Level 3 build artifact that produces signed provenance without leaving a trace. PoC: ActionsCacheBlasting.

Linux maintainers were infected for 2 years by SSH-dwelling backdoor
For two years, starting in 2009, Linux's kernel.org servers were infected by Ebury malware, which stole encrypted password data from over 550 system users and managed to convert half into plaintext passwords. The malware, which created a backdoor in OpenSSH that provided the attackers with a remote root shell on infected hosts with no valid password required, spread to 25,000 servers, including those belonging to the Linux Kernel Organization, hosting facilities, and an unnamed domain registrar and web hosting provider.

A peek into build provenance for Homebrew
Thanks to Trail of Bits’ Joe Sweeney and William Woodruff, from now on, each bottle built by Homebrew will come with a cryptographically verifiable statement binding the bottle’s content to the specific workflow and other build-time metadata that produced it, and can be verified with brew verify.

This injects greater transparency into the Homebrew build process, and reduces the risk of compromised or malicious insiders tricking users into installing non-CI-built bottles. Love the ecosystem level improvements!

Blue Team

notdls/known-breaches
By dls: A compliation of breach information gathered from data aggregators and breach lookup services. Currently supports: HaveIBeenPwned, Dehashed, Leak-Lookup, and Vigilante.pw.

YARA is dead, long live YARA-X
Victor M. Alvarez announces YARA-X, a completely new implementation of YARA in Rust, aiming for a better command-line user experience, improved performance, enhanced reliability and security (YARA has some complex C code), and more. YARA will still be maintained, but won't receive new large features. YARA-X has already been battle tested by VirusTotal across millions of files with tens of thousands of rules.

How to prioritize a Detection Backlog?
Alex Teixeira shares perspective on how to prioritize the detections you write. Consider: evaluating the cost of implementing a detection vs the value its alert potentially generates, coverage (e.g. ATT&CK Matrix), severity of potential impact, probability of occurrence, target asset value, as well as the current threat landscape, compliance requirements, your team's throughput, and stakeholder's value. Nice image overview in the post.

Red Team

joaoviictorti/RustRedOps
By João Victor: A repo dedicated to gathering and sharing advanced techniques and offensive malware for red team, written in Rust. Includes examples of API hooking, anti-debug, creating drivers and DLLs, enumerating processes, and more.

Emulation with Qiling
Qiling is an emulation framework that builds upon the Unicorn emulator by providing higher level functionality such as support for dynamic library loading, syscall interception and more.

Nettitude’s Connor Ford walks through using Qiling and how it can be used to emulate an HTTP server binary from a router, covering: unpacking the firmware with Binwalk, using Qiling hooks to override function implementations, using Qiling’s patching capabilities, and how to diagnose and fix issues during emulation, such as missing directories or files.

AI

Slack users horrified to discover messages used for AI training
By default Slack's terms of service allow them to use your data to train their global AI models, including messages, content, and files. Opt out by emailing [email protected] choice words with the subject “Slack Global model opt-out request.”

Leaked OpenAI documents reveal aggressive tactics toward former employees
Employees who leave OpenAI are asked to sign a non disparagement clause (with no end date) within 7 days or lose their vested equity, which is likely a large portion of their compensation. Sam Altman said they wouldn’t do the clawback and haven’t, and that he didn’t know about this clause, despite his signature on a number of documents setting this policy.

Scarlett Johansson says she is 'shocked, angered' over new ChatGPT voice
OpenAI’s ‘Sky’ voice sounds a lot like ScarJo in the movie ‘Her', so her legal team sent OpenAI a letter asking about the process of creating that voice. Johansson claims that Sam Altman approached her 9 months ago about licensing her voice for the new ChatGPT voice assistant, she declined the offer. OpenAI claims it used another voice actor and the Sky voice was not intended to imitate her. Johansson’s statement here.

Quote

“There are no solutions. There are only trade-offs.” - Thomas Sowell

Misc

Derek Sivers’ notes on the book The Courage to Be Disliked
“We are not determined by our experiences, but by the meaning we give them.”

“You say fear is stopping you from doing what you want.
If I did cure your fear, and nothing in your situation changed at all, you’d probably say, ‘Give me back my fear!’”

“Think of life as a series of dots.
If you look through a magnifying glass at a solid line drawn with chalk, you will discover that what you thought was a line is actually a series of small dots.
Seemingly linear existence is actually a series of dots; in other words, life is a series of moments called ‘now’.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler