Cyberwire Network Announcer

You're listening to the Cyberwire Network, powered by N2K.

Lowe's / Focus Features / Indeed Advertiser

Spring Fest is happening now at Lowe's. Keep the spotlight on your yard with stay green premium 2 cubic foot mulch. 5 bags for $10. Plus when you want more help indoors, get up to 40% off. Select major appliances that help you supercharge your chores. Our best lineup is here at Lowe's. Valid to 420. Supplies last selection varies by location. Seelowes.com for details. Mulch offer excludes Alaska and Hawaii.

Dave Bittner

Hello everyone, and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. Else.

Yuval Avrahami

What actually brought it to our attention was an actual threat actor that managed to take over an AWS GitHub repository using another Codvid issue. We saw this and we thought it's, you know, pretty insane that it's possible to do something like that. And that's what originally led us to look in this direction.

Dave Bittner

That's Yuval Avrahami, vulnerability researcher at wiz. The research we're discussing today is titled Code Infiltrating the AWS Console Supply Chain and hijacking AWS GitHub repositories via CodeBill. Well, before we dig into code Breach itself, could you explain to us how is AWS CodeBuild normally used and what makes it an attractive target?

Yuval Avrahami

CodeBuild is a CI CD service, so it's normally used to trigger builds on source code. So what you normally do, if you have a source repository, a code repository in GitHub, for example, you would connect code build to that. So whenever you do something like a push or a pull request or you have a new feature and you want your automated test to run, those could run in codebuild. And what makes the interesting target is that for code build to interact with GitHub with the source repository, for example, to tell it if a build, you know, failed or something like that, it actually needs some GitHub credentials. And often those are very powerful. And that means that if you are able to compromise a build that's running on a code build, you could end up hijacking the entire repository. So that's why it's an interesting target for us and for attackers. We saw attackers actually go after it as well.

Dave Bittner

Well, take us through Code breach. What exactly is going on here?

Yuval Avrahami

Because the consequence of having a build being Triggered for your pull request is that you now have code running in code Build next to the GitHub credentials. So this is something you wouldn't want anyone to be able to have. Code Build has this concept of webhook filters, which basically mean in simplicity, it's just a list of GitHub users that are allowed to trigger builds. Right? So that actually is a valid way to do it. Like, it's a bit annoying from just a user experience perspective to have to like fill in this list of every, every time someone joins your team you search GitHub user ID, you need to add it to the, to the list. When we saw this, we like, like our, our organizations are actually implementing this. Like, it sounds like a bit of a hassle, you know. So this is how we started to look into this. We thought we're going to look about on a. We're going to search for code build projects. And we, our hypothesis was that people are probably just lazy, you know, they probably are not implementing this. So we went out to search for like code build projects that were configured as public. So you have this setting which makes a code build project public, meaning anyone can see its settings. And that allowed us to actually search for code build projects and see their configurations and see if people are actually setting this list or are they being lazy. And we found a couple of AWS GitHub repository, like pretty major one. And we'll talk about one of them later on, which were connected to CodeBuild and they actually had this list of users. So we were like, okay, good for aws. They weren't being lazy. They actually narrowed down who could trigger builds in their GitHub repositories. So at first it looks like a dead end, but when we looked at these lists again, something stood out. The separator between the numbers in the list, it wasn't like a comma or a space, it was a pipe character, which is quite odd for a normal list. And that was actually the clue that this is actually not a normal list. This is a regex expression, which basically meant that it will not only Authorize the user IDs in the list, but because of how regex work, it will authorize any user ID that contains an approved user id. Okay, wow.

Dave Bittner

So how does this differ from a more traditional cloud misconfiguration?

Yuval Avrahami

So I think, first of all, it's not that clear. It's a misconfiguration. Like the people who configured it in AWS assumed it was secure and also us when we saw this list of numbers. At the beginning we were sure, like, okay, this is like they specified which accounts can actually trigger a build. So it looks like it's very subtle. I'd say it's what makes this interesting and why it went unnoticed for a lot of time. The impact here is really crazy because because of this subtle misconfiguration, you are able to actually take over key AWS GitHub repositories. And we're talking like some of the most crucial GitHub repositories that are used all across AWS environments.

Dave Bittner

We'll be right back.

Lowe's / Focus Features / Indeed Advertiser

This episode is brought to you by Focus Features. Would you let AI pilot your plane? Raise your child? Decide your future? On March 27, Focus Features presents the AI document or how I Became an Apocalyptimist. Critics and audience at the Sundance and Southwest Film Festivals call it the most urgent movie of our time. The AI doc or how I became an apocalyptomist. Rated PG13 only in theaters March 27.

Cyberwire Network Announcer

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored jobs to find the right people with the right skill skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

Dave Bittner

Well, can you walk us through an attack scenario here? From the attacker's perspective, how do they go about doing what they want to do?

Yuval Avrahami

So the way to go about it from like if you're an attacker who want to actually exploit this, you need to open a GitHub account which has an ID that contains one of the approved maintainer IDs. And this is actually not that simple. An ID like that is available for registration something like once every five days because you need the ID to be like to have an exact match of an approved maintainer ID inside it. So every five days something occurs that we internally called it an eclipse. When an ID is exactly a super string of an approved id. And when that moments come out, you just need to flood GitHub with a lot of user creation requests because users in GitHub are created all the time. If you don't create a lot of users at the precise moment where the idea is up for registration, like someone else is going to take this special idea. And so we figured out a couple of ways to actually bypass it's not really bypassing GitHub rate limits. It's just a couple of avenues which GitHub doesn't rate limit at the time. And we find a way actually to create a lot of GitHub users at the precise moment to actually capture the attacker user id. And once you have this user id, the attack scenario is really simple. You just open a pull request to the GitHub repository. You want to compromise once you open it, because code Build sees your GitHub user ID and because of how the filter is implemented, a build will be triggered from your pull request. And now you have code execution in a build which has GitHub credentials. So you have those credentials and at that time you can just do whatever you want. You basically add an admin of the repository. You could push code open, pull requests, exfiltrate secrets. And we actually saw someone do something like that about a month before our research. So we know that people are actually, you know, abusing this mechanism. It was a different code build issue, but, you know, the overall attack pattern is the same. You open a pr, you abuse samis configuration to trigger a building code build. And once your build is running, you can take the GitHub credentials, right? And just you have complete control over the GitHub repository. You can release your own code. You could, you know, push malicious code. The main thing is just doing this without being noticed, right?

Dave Bittner

Are there any particular kinds of organizations that would be most at risk from this issue?

Yuval Avrahami

First of all, anyone that uses a CI CD service can have this issue. The main thing is whether your repositories are public or private, right? Because if you have private repositories only, for example, the only one who sees the repositories and can attack them are internal users, right? Your own company users. So the risk is much lower than if your code repository is public. And that exactly is what happened to aws. They open source their code. And unfortunately, the side effect of doing that is that anyone can see your code and sometimes the CI CD configurations. So if you're an organization that runs CI CD builds on public repositories, you should really take notes regarding issues like this. Because what makes them crazy is that the attacker has no prior access to your organization at all, right? And he just submits one pull request, he gets his build running, and suddenly he's an admin of one of your key components, right? It's such a supply chain nightmare. It's a really, really interesting risk.

Dave Bittner

Now, how did AWS respond once you disclosed this issue?

Yuval Avrahami

Oh, they were great. They were really fast. Within I think 48 hours, they already mitigated all of the problematic filters and they actually released a new feature which automatically, instead of having this list of user IDs that you need to maintain and keep track of, AWS now automatically has a feature that checks what is the actual permissions of the person who opened the pull request over the GitHub repositories. Right. So it automatically detects if you're an owner of the GitHub repository and only if so it will allow a build to trigger. And this is such a good improvement. But the thing is that this is the default for new code build projects, right. So if you have a code build projects from before this issue, you need to change your settings and this is the main like action item from this issue. Go to your code build settings and enable this feature. It's called Pull Request Comment Approval and it really is an easy click and you're much more secure.

Dave Bittner

So the fix is available, but you have to know to do it and then actually go ahead and do it.

Yuval Avrahami

Yeah, AWS fixed the repositories that they have that we found are vulnerable. Right. But it's problematic for them to just go inside existing projects and change their settings without the customers knowing about it. Right. So they automatically enable this for new projects. But if you have an existing project, you should really look into whether this setting is enabled from a high level.

Dave Bittner

Are there lessons that security teams can take away from this in terms of trusting managed cloud services?

Yuval Avrahami

Yeah, it's a tough one, right? Because you don't know that if you like implement this yourself, you're going to do necessarily a much better job.

Dave Bittner

Right.

Yuval Avrahami

But I think this falls into the configuration of the cloud service and in these areas when you have like a lot of recent attacks and the industry is a bit behind like CI CD security, I think you really need to double check your configuration and if there any way for you to reduce the privileges, you just need to do it. Right. See ICD is such a problematic vector right now. We see countless attacks. So the main point is you want to close the biggest attack surface right now, which is public repositories. So you really need to look at the CICD services of your public repositories and try to secure kill them first because they are open to the world and this is what makes them good targets for attackers.

Dave Bittner

Our thanks to Yuval Avrahami from Wiz for joining us. The research is titled Code Infiltrating the AWS Console Supply Chain and hijacking AWS Go GitHub repositories via CodeBuild. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.