Compromised CI/CD, FBot, and Hadoop Attacks - Jan 7th - 14th, 2023 - F5 SIRT - This Week in Security

Jordan here as your editor this week. This week I cover a Github CI/CD runner attack, FBot, and Attacks targeting Apache Hadoop.

We in F5 SIRT invest lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT

Poisoning GitHub’s Runner Images

Security researchers have identified a significant vulnerability in GitHub’s actions/runner-images repository. This vulnerability allowed access to GitHub's internal systems and could potentially enable the injection of malicious code into GitHub’s runner base images, impacting all users of hosted runners. For this discovery, the researchers received a $20,000 bug bounty.

The researchers highlight the security risks associated with self-hosted runners in public repositories. They stress the importance of proper configuration and security hardening for these runners, as the attack capitalized on weak security practices.

This attack is a reminder of the need for vigilance and robust security protocols in software development, emphasizing the importance of prioritizing security in development processes. To mitigate such risks, they recommend adjusting default settings to require approval for all external collaborators in public repositories using self-hosted runners. This precaution could significantly lower the likelihood of similar attacks.

FBot: A Lurking Threat in the Cloud

FBot is a recently discovered Python-based hacking tool designed to target web servers, cloud services, and popular Software-as-a-Service (SaaS) platforms like Amazon Web Services (AWS), Microsoft Office 365, PayPal, and Twilio. FBot's arsenal is stocked with malicious capabilities, such as harvesting credentials for spamming attacks, hijacking cloud accounts like AWS, and exploiting vulnerabilities in SaaS platforms like PayPal and Sendgrid. This versatility makes it a potent tool for cybercriminals seeking to steal sensitive data, disrupt services, and commit financial fraud.

If you are asking "how can I protect myself from FBot?", here are some key steps that will help reduce risk:

  • Enable multi-factor authentication (MFA): FBot can and does steal credentials. Using MFA adds an extra layer of protection by requiring a secondary verification code, making it much harder for even stolen credentials to grant access. Now every defense has a weakness, so don't think of this as a panacea, think of this as raising the bar for the attackers.
  • Regularly assess your access posture: Regularly review cloud account permissions and revoke unused access to shrink the area FBot can exploit if it snags logins. If FBot compromises an account, limited permissions act like a lockdown, preventing it from reaching sensitive data or spreading further. Regular reviews can also reveal unusual access patterns, potentially catching FBot before it wreaks havoc.
  • Stay informed: FBot exploits unpatched vulnerabilities so regularly updating your software and applications with the latest security patches to close any vulnerabilities FBot might try to exploit reduces the risk. In addition to updating software, try to stay informed about the latest variants and functionalities of FBot to adapt your defensive strategies accordingly.

By following these precautions and staying vigilant, you can significantly reduce your risk of falling victim to FBot and other malicious cloud hacking tools. Remember, cybercrime evolves constantly, so staying informed and taking proactive measures is crucial to protecting your digital assets and security.


Stealthy Attack Against Apache Hadoop

Aqua Security discovered a threat actor eploiting a misconfiguration of the ResourceManager used in Apache Hadoop. Successful exploitation allows remote, unauthenticated attackers to execute arbitrary system commands via simple HTTP requests. This vulnerability can lead to code execution, depending on the privileges of the system user on the affected node and any Internet exposed instances should probably assume breach at this point.

The threat was initially identified by noticing unusual patterns of resource usage on a honeypot system, which led to a deeper investigation into the nature of the payloads involved. The attackers payload follows a fairly typical pattern, using well known system commands to download a first stage exectuable to /tmp, executing that binary, which is used to download additional payloads, one of the final payloads being a Monero crypto miner. As a reminder, Monero is a favorite cryptocurrency for malicious actors as it has multiple privacy preserving properties. In other words, it's hard to follow the money. As part of ensuring they maintain persistent access, the attackers also write to the system crontab to ensure if there is an interruption of their access, the crontab will download and re-install the rootkit. If you ever see suspicious "curl" commands in a crontab, take note and investigate. In my experience, it's almost never a good sign.

Thats it for this week, thanks for reading. I hope you enjoyed the content.

Updated Jan 18, 2024
Version 2.0

Was this article helpful?

No CommentsBe the first to comment