PacketWatch Threat Intelligence

GitHub Access Concerns, CrowdStrike Scams, and More | PacketWatch Threat Intelligence | July 29, 2024

Written by The PacketWatch Intelligence Team | Jul 29, 2024 7:30:10 PM

In this week's threat intel report, we explore how security researchers have uncovered several ways private or deleted GitHub data can be retrieved, recent CrowdStrike scams and a hunt query, and a vulnerability roundup.

Github Data Never Dies

Security researchers at Truffle Security have identified several scenarios where private or deleted GitHub data can be retrieved. They are calling this attack vector Cross fork Object Reference (CFOR), which occurs when one repository fork can access sensitive data from another fork, including data from private and deleted forks.

The research outlines three main use cases: Accessing deleted fork data, accessing deleted repository data, and accessing private repository data.

Accessing Deleted Fork Data

In this example, the user forks a public repository, makes code commits to their fork, then deletes their fork. The assumption would be that the deleted fork data is gone, however, this is not the case. This "deleted" data is still accessible in Github if the commit hash is known.

Accessing Deleted Repo Data

In this example, the user starts with a public repository on GitHub. At some point, another user forks this public repository. The original owner of the public repository then does more code commits to the public repository, and then eventually deletes the entire repository. In this scenario, the code commits that happened after the fork are still accessible, even though the repository has been deleted.

Accessing Private Repo Data

In this last example, the user creates a private repository that will eventually be made public. They create a private, internal version of this repository (via forking) and commit additional code that is not going to be made public. The user then makes the "upstream" repository public and keeps the fork private. In this use case, any code that is committed between the time the internal fork was created and when the upstream repository was made public is accessible on the public repository.

How To Access The Data (Finding The Hash)

Each time a commit is made, it is identified with a unique SHA-1 hash called the commit hash. If a user knows this hash, they can go directly to the code commit page. While guessing an entire SHA-1 hash would be quite difficult, you do not need to know the entire hash to access it in Github. The git protocol permits the use of "short SHA-1 values" when referencing a commit. This value is the minimum number of characters required to avoid collision with another hash (minimum of 4 characters), which makes it possible to brute-force these commit hashes.

Why It Matters

A very common security issue organizations face is when API or security keys are accidentally committed to a Github repository. When issues like these are identified, common practice is to simply delete the data and assume the data is no longer retrievable. In the use cases documented above, the data is still retrievable. Any sensitive data such as passwords or API keys that have been identified in this way that fit this use case criteria should have those passwords or keys rotated.

Additional Resources

CrowdStrike Scams

In the wake of the widespread Windows system outages caused by a faulty CrowdStrike update, threat actors have already begun attempts to exploit the chaos and confusion of the situation. CrowdStrike identified a phishing email campaign attempting to spread the Daolpu infostealer. The phishing emails contain a Word doc attachment:

'New_Recover_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm'

The contents of the document match the guidance from a Microsoft support bulletin, but also contain a macro that if enabled download and launch the Daolpu infostealer. This type of malware targets login data, such as usernames, passwords, and session cookies from web browsers.

In addition to phishing campaigns, threat actors have registered fake CrowdStrike support pages. Security researcher @embree_research identified over 5 dozen fake pages registered within 7 days of the outage. Below are examples of these fake pages:

crowdstrike-bsod[.]com

crowdstrike-helpdesk[.]com

crowdstrike[.]blue

crowdstrikeclaim[.]com

crowdstrikeglitch[.]com

crowdstrikehelp[.]com

crowdstrikeoutage[.]info

crowdstrikesettlement[.]com


The following query can be used in PacketWatch to hunt for traffic to these types of sites:

http.host:/.*cr[o0]wd[\w\-]{0,2}[s5]tr[i1]k[e3].*/ AND NOT http.host:(crowdstrike.com OR *.crowdstrike.com)

As with any widescale disaster event, whether natural or manmade, threat actors are always going to try and exploit these situations. User awareness training is one of the most effective methods to combat these exploits. Users should be taught to only trust support emails from trusted sources, usually internal IT. Having up-to-date EDR tools deployed across every viable endpoint will also help prevent execution of malware such as the Daolpu stealer.

Additional Resources

Vulnerability Roundup

Service Now CVEs Under Active Exploitation

Researchers from Resecurity have observed active exploitation of 3 vulnerabilities in the Service Now platform. The vulnerabilities are tracked as CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. The first two flaws allow unauthenticated remote attackers to execute arbitrary code, while the third allows administrative users to gain unauthorized access to sensitive files on the web server.  Resecurity was able to observe threat actors dumping credentials from vulnerable servers. Proof-of-concept exploit code is available in the wild. The flaws affect Washington DC, Vancouver, and Utah Now Platform releases. Administrators are urged to patch as soon as possible.

Additional Resources

Progress Telerik Report Server Critical RCE

Progress Software released a patch for a critical remote code execution flaw in the Telerik Report Server, a server-based reporting platform used for centralized storage, as well as creation, deployment, delivery, and management of reports across an organization. The vulnerability is tracked as CVE-2024-6327, and is a flaw in how the software deserializes untrusted data sent to the platform. Successful exploitation would allow for a remote, unauthenticated attacker to execute arbitrary code on the server. Progress Telerik Report server versions 2024 Q2 (10.1.24.709) and prior are vulnerable. Administrators are urged to patch to version 2024 Q2 (10.1.24.709) as soon as possible.

Additional Resources

Docker Authorization Bypass

A critical authentication bypass vulnerability with a CVSS score of 10.0 was identified in Docker AuthZ plugins. Per Docker's security advisory, Docker's authentication model is "all-or-nothing". Users that wish to have more granular control over user permissions utilize plugins such as AuthZ. The vulnerability can be exploited by an attacker sending a specially crafted API request to the AuthZ plugin which bypasses authentication checks. The flaw was initially fixed in Docker Engine v18.09.1 in January 2019, but the fix was not carried over to subsequent releases. Administrators are urged to patch to version 23.0.14 or 27.1.0 as soon as possible.

Additional Resources

SolarWinds Critical Vulnerabilities

In a recent security advisory, SolarWinds disclosed a set of 13 new vulnerabilities in the SolarWinds Access Rights Manager, eight of which are rated critical. Successful exploitation of these vulnerabilities can result in remote code execution with elevated privileges, as well as allow for the attacker to read and delete files on the server. This set of vulnerabilities has been patched in version 2024.3. Administrators are urged to patch as soon as possible.

Additional Resources

Cisco Secure Email Gateway

On July 17, Cisco released a security advisory for a critical arbitrary file write vulnerability in the Cisco Secure Email Gateway, tracked as CVE-2024-20401. The flaw is due to improper handling of email attachments when file analysis and content filters are enabled. The vulnerability can be exploited by an attacker sending an email with a malicious attachment through an affected device. Successful exploitation can allow the attacker to replace any file on the system. Per the advisory, the attacker could then add users with root privileges, modify the device configuration, execute arbitrary code, or case a permanent denial of service condition. The vulnerability affects Cisco Security Email Gateway if it is running a vulnerable release of Cisco AsyncOS (prior to version 15.5.1-055), and both of the following conditions are met:

  • Either the file analysis feature (part of Cisco Advanced Malware Protection) or the content filter feature is enabled and assigned to an incoming mail policy.
  • The Content Scanner Tools verions is earlier than 23.3.0.4823.

Administrators are urged to patch as soon as possible.

Additional Resources

Cisco Smart Software Manager On-Prem

Cisco disclosed a maximum severity flaw in their Smart Software Manager (SSM) On-Prem solutions that allow for a remote, unauthenticated attacker to change the password of any users, including administrators. The vulnerability is tracked as CVE-2024-20419. Versions 8.202206 and earlier are vulnerable, and administrators should upgrade to the fixed release, 8-202212, as soon as possible. Version 9 of SSM is not vulnerable.

Additional Resources


Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.