"Many enterprises use GitHub Action Secrets to store and protect sensitive information such as credentials, API keys, and tokens used in CI/CD workflows. These private repositories are widely assumed to be safe and locked down. But attackers are now exploiting that blind trust, according to new research from the Wiz Customer Incident Response Team. They found that threat actors are using exposed GitHub Personal Access Tokens (PATs) to access GitHub Action Secrets and sneak into cloud environments, then run amok."
"When PATs, which allow developers and automation bots to interact with GitHub repositories and workflows, are exploited, attackers can easily move laterally to CSP control planes. PATs can become a "powerful springboard" that allows attackers to impersonate developers and carry out a range of activities, explained Erik Avakian, technical counselor at Info-Tech Research Group. It's like having a backstage pass into a company's cloud environments, he said."
Exposed GitHub Personal Access Tokens (PATs) are being used to access GitHub Action Secrets and gain entry into cloud environments. An estimated 73% of organizations using private GitHub Action Secrets repositories store cloud service provider credentials within them. When PATs are exploited, attackers can move laterally into CSP control planes and impersonate developers, performing actions that lead directly to AWS, Azure, GCP, or other cloud services. Cloud service provider access keys are high-value and often long-lived, increasing impact. Attackers search repositories and workflows for hints of cloud access and configuration to escalate privileges and control cloud resources.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]