IBM’s pen testing group X-Force Red released a new source-code management (SCM) attack simulation toolkit Tuesday, with new research revealing ways to use native SCM functionality in attacks.
Brett Hawkins of X-Force Red will present the research at Black Hat later in the week.
Source-code management tools like GitHub are more than just a home to intellectual property. They are a way to install code en masse on every system that code reaches. Two of the most devastating attacks in history – NotPetya and Solarwinds – came out of malicious code inserted into updates, then uploaded to clients. Sloppy SCM users sometimes leave API keys and passwords exposed in code, giving SCM dorks access to other systems; from there, SCM may be connected to other DevOps servers and become a pivot point.
Click here for more coverage from the Black Hat Conference in Las Vegas.
“There’s not really any research out there on attacking and defending these systems,” Hawkins told SC Media.
At present, most attacks on SCM are by bad actors searching for interesting exposed files, repositories and content. But Hawkins developed more sophisticated attacks leading to privilege escalation, stealth and persistence to use in pen tests.
That might mean using administrator access to create or duplicate tokens used to access the SCM. Alternatively, on GitHub, that might mean clicking a single button to impersonate users.
Hawkins jammed his research and reconnaissance tools into SCMKit, the toolkit released Tuesday.
“There’s nothing out there that exists like SCM-Kit right now. It allows you to do a bunch of different attack scenarios including reconnaissance, privilege escalation, and persistence against GitHub Enterprise, GitLab enterprise and Bitbucket,” said Hawkins. “I’m hoping to get some good feedback from the infosec community.”
Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.
August 29, 2022
SC StaffSeptember 2, 2022
Hardcoded Amazon Web Services credentials have been identified in 1,859 Android and iOS apps, 77% of which had valid AWS access tokens enabling private AWS cloud service access, according to The Hacker News.
SC StaffSeptember 1, 2022
Apple has released an updated version of its XProtect malware defense app to Mac devices running macOS Monterey, Big Sur, and Catalina, Ars Technica reports.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.