North Korean APT Kimsuky aka Black Banshee – Active IOCs
September 9, 2024Multiple Intel Products Vulnerabilities
September 9, 2024North Korean APT Kimsuky aka Black Banshee – Active IOCs
September 9, 2024Multiple Intel Products Vulnerabilities
September 9, 2024Severity
High
Analysis Summary
Typosquatting has long been used by threat actors to fool gullible people into accessing malicious websites or downloading malware and other packages that are designed to harm. Typically, these attacks entail the registration of domains or packages with names that are somewhat different from those of their authentic counterparts (goog1e.com vs. google.com, for example).
According to the researchers, this attack method leverages the fact that anyone can publish GitHub Actions by creating a new GitHub account often using temporary email addresses. If a developer accidentally uses a misspelled action that matches a typosquatter's action, their applications could unknowingly run malicious code.
The attack's mechanism involves creating repositories with names closely resembling popular or frequently used GitHub Actions. For instance, if a user mistakenly writes "actons/checkout" instead of the legitimate "actions/checkout," the malicious action created by the attacker will execute instead of the intended one. This could lead to a range of malicious outcomes including tampering with source code, stealing secrets, or delivering malware. Such actions could even manipulate GitHub credentials to propagate malicious changes across multiple repositories within an organization.
Research uncovered numerous instances of this issue on GitHub, with 198 files using variations of "action/checkout" or "actons/checkout," highlighting the extensive potential for exploitation. This form of typosquatting is particularly attractive to threat actors due to its low cost and high impact, capable of compromising multiple downstream projects in one go. The use of this technique for software supply chain attacks represents a significant security risk, affecting both public and private repositories.
To mitigate these risks, users are advised to carefully verify the names and sources of GitHub Actions they integrate into their workflows. Regularly scanning CI/CD pipelines for typosquatting issues and adhering to best practices can help safeguard against such attacks. The concern is even more pronounced for private repositories, where similar typosquatting could lead to severe security breaches, though the full impact in these environments remains uncertain.
Impact
- Code Execution
- Information Disclosure
Remediation
- Always double-check the names and sources of GitHub Actions to ensure they are referencing legitimate and trusted repositories.
- Prefer using actions from well-known and verified sources or those published by reputable organizations to minimize the risk of typosquatting.
- Regularly review and audit CI/CD pipeline configurations and action usage to detect any discrepancies or typos that could lead to security vulnerabilities.
- Periodically scan CI/CD workflows for potential typosquatting issues and vulnerabilities to identify and address any risks early.
- Follow best practices for security in CI/CD pipelines, including limiting permissions and using secure credential storage.
- Set up monitoring for unusual activity in your CI/CD pipelines and have a response plan in place for any potential security incidents.