Weekly Security Roundup: Github's Chain Intrusion, Ransomware Decryption Solutions, and Paragon's latest developments
It's bloody obvious that GitHub fell prey to a devious supply chain attack last week, hidden within a popular GitHub Action. Let's dive into this nasty business without beating around the bush.
To set the stage, we've got to quickly talk about Continuous Integration (CI) and GitHub Actions. In essence, CI means automatic builds of a project. In simple terms, whenever you push a commit, CI kicks off. For some projects, merely making a pull request triggers a CI run. It's a good tool when a project includes a test suite that can run during the CI process.
Now, automating builds seems straightforward, but the process includes checking out code, installing build dependencies, conducting a build, determining if the build succeeded, and uploading the results somewhere useful. Sometimes, even committing changes to the repository itself is part of the process, as in the case of incrementing a version number. For each stage, there are various approaches and quirks unique to each project.
GitHub overcomes this chaos by offering a marketplace of "actions," many of which are community maintained. These are reusable code snippets that handle numerous CI processes with a few options.
Remember, if a project release process ends with uploading to an AWS store, access keys are required. GitHub stores these securely and makes them available in GitHub Actions. As you can imagine, this makes it crucial to not let untrustworthy code run within the context of a GitHub Action.
This brings us to what transpired last Friday – one of those community-maintained actions, , was modified to pull an obfuscated Python script and run it. This code extracted the memory of the GitHub runner process, searched for anything tagged with secrets, and logged those values in a world-readable log for public repositories. Needless to say, exposing secrets to anyone with the know-how is a risky move.
Researchers at StepSecurity are investigating this matter, and they offer a simple search string, , to help you determine if you've been compromised. It's unclear whether this compromised action was embedded in other popular actions, so it's essential to search recent GitHub Action logs for any mention of and start rotating secrets if present.
In other news, the Linux supply chain has been on Fenrisk's mind. They've been pondering Linux distribution packaging, specifically. Fenrisk discovered a quartet of issues in Fedora's Pagure web application, which is used for source code management for Fedora packages. The most severe of them allows for arbitrary file write via argument injection in the logging function.
This issue can be exploited by hijacking the request, injecting the output flag, , to redirect Git history to a specified file. With little character scrubbing in the commit message, Bash booleans like can be used to smuggle a command in. Add the cooked commit to your local branch of something, query the URL to write the file history to your file, and attempt to SSH in to the Pagure service. The server does the right thing by refusing to grant the user a shell, but not before executing the code dropped into the file. This issue was disclosed in April 2024 and fixed within hours by Red Hat.
But that's not the only target – Fenrisk researchers also discovered a critical vulnerability in OpenSUSE's Open Build Service. This issue is somewhat similar to the Fedora Pagure issue, as command options can be injected into the wget command used to download the package source file. A workaround allows for writing arbitrary data to a file in the user's home directory, but there isn't an obvious path to executing that file. Multiple potential execution paths exist, but a Proof of Concept (PoC) chose writing a file in the home directory and then triggering the binary with the command. This offers arbitrary shell code execution. The OpenSUSE team had fixes available and rolled them out within a few days of the private disclosure in June 2024.
Now, let's switch gears to the subject of ransomware. What do you do when a company finds itself in a tight spot with Akira ransomware, and the backups are, well, rubbish? If you're Yohanes Nugroho, apparently you grit your teeth and dive in. This particular Akira strain had a weakness that made decryption and recovery seem like a walk in the park. The encryption key was seeded by the current system time, and Yohanes had both system logs and file modification timestamps to work with. The danger of using timestamps for random seeds is evident – if you know the timestamp, the pseudorandom sequence can be derived.
However, it wasn't as easy as it seemed. This Akira variant actually utilized four separate nanosecond-scale time values in determining the per-file encryption key. Values we'll call and are used to seed the encryption for the first eight bytes of each file. If there's any hope of decrypting these files, those two values will have to be found first. Through decompiling the malware binaries, Yohanes knew that the malware process would start execution, then run a fixed amount of code to generate the key, followed by a fixed amount of code before generating the key. In an ideal world, that fixed code would take a fixed amount of time to run, but reality is messier, especially on multi-core machines and systems with multi-threaded operations.
Luckily, Yohanes brute-forced a 10-second slice of timestamps, costing roughly $1,300 when renting GPUs through vast.ai. The source code that made this possible is available if you fancy attempting the same trick. Lastly, remember that the key to thwarting these attacks lies in maintaining robust backup strategies, keeping your systems updated, and staying aware of the latest threats. Stay vigilant! 😉
The incident with GitHub's supply chain attack underscores the importance of cybersecurity in technology, particularly when it comes to the use of community-maintained actions in automation tools like GitHub Actions. For instance, the compromised action, , was manipulated to pull an obfuscated script, potentially exposing secrets in finance and cybersecurity projects that utilize Linux.
Meanwhile, the Linux community has faced its own supply chain issues, such as the series of vulnerabilities discovered in Fedora's Pagure and OpenSUSE's Open Build Service. These issues could potentially allow attackers to execute arbitrary code, highlighting the continuous need for vigilance in the field of technology and cybersecurity.
