Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitLab. Show all posts
Ransomware
Data Breach DevSecOps GitHub GitLab Ransomware

DevSecOps Teams Face Regular Outages, Cyberattacks, and Data Breaches



The past year has seen a sharp rise in cyber attacks targeting popular DevOps platforms like GitHub, Bitbucket, GitLab, and Jira. These platforms, which are crucial for developers and IT operations teams, have faced growing threats that disrupt their services and put users at risk. The importance of securing the software development process at every stage cannot be emphasised enough. 

What is DevSecOps?

In response to the increasing complexity of cyber threats, many organisations are adopting a practice known as DevSecOps. This approach involves integrating security measures directly into the development process, rather than treating them as an afterthought. By doing so, security becomes a fundamental part of the software development lifecycle, ensuring that potential vulnerabilities are addressed early on. However, this shift also comes with challenges, as teams must be agile and proactive in adapting to new threats.

Cyber Incidents in 2023

In 2023, there was a noticeable increase in incidents that negatively affected the operation of DevOps services. GitHub, the largest of these platforms, experienced 13.94% of the reported incidents, while Bitbucket accounted for 8.33%, GitLab for 7.89%, and Jira for 4%. Most of these issues involved problems with key components that led to degraded performance and service disruptions.

One of the most alarming threats to GitHub in 2023 was the rise of a hacking method called "RepoJacking." This type of attack exposed millions of repositories to potential risks. Research indicated that as many as 9 million repositories on GitHub could be vulnerable to this kind of attack. Moreover, it was discovered that over 4,000 software packages were at risk, along with more than 15,000 Go module repositories.

Hackers also used GitHub as a platform to host malicious software. By taking advantage of GitHub's public services, attackers could create a cost-effective and reliable infrastructure for their activities, making it difficult for users to detect and respond to these threats. This method allowed hackers to retrieve malicious commands through seemingly legitimate interactions on GitHub, posing a significant risk to users' data.

Challenges Faced by Bitbucket, Jira, and GitLab

While Bitbucket saw a slight decrease in incidents in 2023, the difference was minimal, with only a 2.04% reduction compared to the previous year. Unfortunately, Jira experienced a 50% increase in incidents, with 75 recorded events, meaning users encountered an incident roughly every five days. Many of these issues were severe, involving vulnerabilities that could have serious consequences for users.

GitLab also faced challenges, with 32% of reported incidents impacting the platform's performance. This hindered users' ability to fully utilise the service. June and August were particularly problematic months for GitLab, with several events that disrupted services. In one instance, a sophisticated attack exploited a critical vulnerability (CVE-2021-22205), which could have led to ransomware attacks and data theft. GitLab's response highlighted the need for organisations to be prepared with robust security and disaster recovery plans.

The Importance of DevOps Security

One of the biggest challenges in DevOps security is ensuring that development and security teams work together effectively. Developers often focus on quickly pushing new software updates, while security teams prioritise finding and fixing vulnerabilities. Without a well-integrated security approach throughout the development process, organisations are at greater risk of cyberattacks, data breaches, and operational disruptions.

The increasing number of incidents affecting platforms like GitHub, GitLab, Bitbucket, and Jira serves as a wake-up call for organisations to strengthen their security practices. By embedding security into every stage of the development process and fostering collaboration among all teams, organisations can better protect their systems and data from cyber threats.

It’s crucial for organisations to prioritise security at every stage of software development. The challenges faced by major DevOps platforms in 2023 highlight the need for vigilance, collaboration, and proactive security measures to safeguard our digital infrastructure. By adopting a DevSecOps approach and integrating security from the start, organisations can better brace themselves.


 

Read more »
Vulnerabilities and Exploits
Data Leak GitLab Malicous Code Software Vulnerabilities and Exploits

Pipeline Hijacking: GitLab’s Security Wake-Up Call

Pipeline Hijacking: GitLab’s Security Wake-Up Call

A major vulnerability exists in some versions of GitLab Community and Enterprise Edition products, which might be exploited to run pipelines as any user.

GitLab is a prominent web-based open-source software project management and task tracking tool. There are an estimated one million active license users.

Understanding the Critical GitLab Vulnerability: CVE-2024-5655

The security problem resolved in the most recent update is identified as CVE-2024-5655 and has a severity level of 9.6 out of 10. Under some conditions, which the vendor did not specify, an attacker might exploit it to execute a pipeline as another user.

GitLab pipelines are a component of the Continuous Integration/Continuous Deployment (CI/CD) system that allows users to build, test, and deploy code changes by running processes and tasks automatically, either in parallel or sequentially.

The vulnerability affects all GitLab CE/EE versions, including 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.

GitLab has resolved the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and users are encouraged to install the patches as soon as possible.

What Is CVE-2024-5655?

The vulnerability allows an attacker to trigger a pipeline as any user within the GitLab environment. In other words, an unauthorized individual can execute code within a project’s pipeline, even if they don’t have the necessary permissions. This could lead to several serious consequences:

Unauthorized Access to Sensitive Code: An attacker gains access to private repositories and sensitive code by exploiting this vulnerability. This compromises the confidentiality of intellectual property, proprietary algorithms, and other valuable assets stored in GitLab.

Data Leakage: The ability to run pipelines as any user means that an attacker can potentially leak data, including credentials, API keys, and configuration files. This information leakage could have severe implications for an organization’s security posture.

Malicious Code Execution: An attacker could inject malicious code into pipelines, leading to unintended actions. For instance, they might introduce backdoors, modify code, or execute arbitrary commands.

Affected Versions

The vulnerability impacts specific versions of GitLab:

  • GitLab versions starting from 15.8 prior to 16.11.5
  • GitLab versions starting from 17.0 prior to 17.0.3
  • GitLab versions starting from 17.1 prior to 17.1.1

Gitlab’s response 

GitLab promptly addressed this issue by releasing updates that fix the vulnerability:

Upgrade GitLab: Update your GitLab installation to a patched version. GitLab has provided patches for the affected releases, so ensure you apply them promptly.

Review Permissions: Audit user permissions within your GitLab projects. Limit pipeline execution rights to authorized users only.

Monitor Pipelines: Keep an eye on pipeline activity. Unusual or unexpected pipeline runs should be investigated promptly.

Read more »
Vietnam
Cyberattacks GitLab Info Stealer malware MrTonyScam Phishing Attack Python-based Malware Vietnam

MrTonyScam: Python-based Stealers Deployed via Facebook Messenger


A new phishing attack has recently been witnessed in Facebook Messenger where messages are being transferred with malwares attached to them, hailing from a "swarm of fake and hijacked personal accounts" and their aim is accessing targets’ business accounts. 

The attack, referred to as ‘MrTonyScam,’ executes its attacks by sending messages to their targets compelling them to click on their RAR and ZIP archive attachments, and launching a dropper that downloads the subsequent stage from a GitHub or GitLab repository.

Oleg Zaytsev, Guardio Labs researcher states in an analysis published over the weekend, "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods."

This payload is another archive file with a CMD file inside of it. The CMD file then contains an obfuscated Python-based stealer that exfiltrates all cookies and login information from various web browsers to a Telegram or Discord API endpoint that is under the control of an actor.

A significantly interesting tactic used by the threat actors is how they delete all cookies once they have stolen them in order to block their victims from their own accounts. They further hack the victim’s session with the help of the stolen cookies, changing passwords and thus acquiring complete control. 

Also, there have been speculations that the threat actors are based in Vietnam, considering the presence of Vietnamese language references in the source code of the Python stealer. For instance, there has been the inclusion of ‘Cốc Cốc,’ which is a Chromium-based browser used popularly in Vietnam. 

Guardio Labs discovered that the campaign has experienced a high success rate, with 1 out of 250 victims being estimated to have been infected over the last 30 days alone, despite the fact that the infection needs user input to download a file, unzip it, and execute the attachment.

Among other countries, the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam have reported the majority of the compromises.

"Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets[…]Those are used to reach a broad audience to spread advertisements as well as more scams," Zaytsev noted.

The aforementioned reveal came in days after WithSecure and Zscaler ThreatLabz reported the newly launched Ducktail and Duckport campaigns that targeted Meta Business and Facebook accounts using ‘malverposting’ tactics.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure noted.  

Read more »
Technology News
Cyber Security GitLab Software Supply Chain supply chain security Technology News

GitLab: Security and Governance Solutions Enhanced to Secure Software Supply Chain

 

GitLab has confirmed new security and compliance features and a number of enhancements in its platform to aid organizations to secure their software supply chain. 

A Global DevSecOps Survey by GitLab in 2022 found that security was amongst the highest priority investment areas for an organization, with 57% of security experts’ surveys indicating that their organizations have already shifted security left or plan to this year. 

GitLab has increased its focus on governance to help teams identify risks by offering visibility into their projects' dependencies, security findings, and user activities with increasing regulatory and compliance needs for the organization. 

The new enhancements on the other hand provide developers with tools that could scan any vulnerability and deploy controls in order to secure applications. Additionally, the developers have access to secure coding guidance involved in the GitLab platform. 

The new capabilities include security policy management, compliance management, events auditing, and vulnerability management. A dependency management capability to help developers track vulnerabilities in dependencies they are using will be available at a later date. Organizations will be able to automatically scan for vulnerabilities in source code, containers, dependencies, and applications in production, says Gitlab. 

These capabilities, along with a broad range of security testing capabilities such as static application security testing (SAST), secret detection, dynamic application security testing (DAST), API security, fuzz testing, dependency scanning, license compliance, and container scanning, aids the organization to acquire security and compliance of their software supply chain constantly, without giving in on speed and agility. 

In regards to the recent enhancement in the security and compliance features, VP of Product at GitLab David DeSanto says, “To stay competitive and propel digital transformation, organizations need to be great at developing, operating, and securing software. Security needs to be embedded in all stages of the software development lifecycle, not treated as an afterthought.” 

“Our enhanced security and governance capabilities make GitLab a comprehensive DevSecOps solution to help secure an organization’s software supply chain”, he continued.
Read more »
Vulnerabilities and Exploits
Bug Bounty CSRF vulnerability DDOS Attacks GitLab Vulnerabilities and Exploits

GitLab Fixes Several Vulnerabilities Reported by Bug Bounty

 

With an update to its software development infrastructure, Gitlab has addressed numerous vulnerabilities — including two high-impact online security flaws. 

GitLab is a web-based DevOps life cycle platform providing an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have designed the program.

In GitLab's GraphQL API, a cross-site request forgery (CSRF) has developed a mechanism for an attacker to call modifications while they are impersonating as their victims. 

Cross-Site Request Forgery (CSRF) is an attack that causes an end-user in a web application to perform undesirable activities wherein he or she is presently authenticated. Users of a web application may be lured towards carrying out activities of an attacker using some social engineering support (such as delivering a link by email or chat). If the target is a regular user, a successful CSRF attack can force the user to make modifications such as money transfers, email addresses, etc. CSRF can compromise the whole web application when the victim is an administration account. 

The Gitlab Webhook feature could be exploited for denial- of service (DoS) attacks because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash.

'Afewgoats' researchers have identified DoS vulnerability and reported it through a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification is not yet assigned. The Daily Swig was told by Ethical hackers that they had been working on a strategy for attacking webhook services. 

"The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. "It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." 

"So far it's been successful against PHP, Ruby, and Java targets," they added. 

Through updating installations to a new version of GitLab, CRSF and DoS issues and a range of minor errors can be rectified. 

As a security advisory from GitLab, the platform upgrade addresses 15 medium severity and two low-impact issues. These add-on vulnerabilities also include a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.
Read more »
spammers
Cyber Attacks GitLab PyPI shady websites spammers

PyPI and GitLab Witness Spam Attacks

 

The GitLab, a source code hosting website, and the Python Package Index (PyPI) portal both are flooded with advertisements for shady websites and assorted services by the spammers. However, both the attacks have no links to each other. 

The PyPI attack in which it is flooded with more than 10,000 listings is the biggest of the two attacks. The Python Package Index (PyPI) is a Python programming language software repository. PyPI allows the user to search and install Python community applications. To deliver their applications, package developers use PyPI. It also hosts tens of thousands of Python libraries. The fact that anybody can create entries in PyPI's website for Python Libraries, which were essentially used as massive SEO advertising for various shady pages, lately has been misused by the spammers. 

These pages typically featured a broth of search-engine-friendly keywords for different topics that varied from games to pornography and films to presents, and a compressed link at the bottom, mostly pointing to a platform attempting to receive data from the payments card. Though the PyPI team has accepted and affirmed that they are aware of the SEO spam flood. "Our admins are working to address the spam," stated Ewa Jodlowska, Executive Director of the Python Software Foundation. She further added, "By the nature of pypi.org, anyone can publish to it, so it is relatively common." 

Although the PyPI spam attack seems to have been going on for at least a month, another new attack has been found at GitLab, a website that allows developers and companies to host and sync the work on source code repositories. A danger that is still unidentified seems to spam the Issues Tracker for thousands of GitLab ventures that each prompted an e-mail to account owners with spam contents. Similar to PyPI spam, these comments have diverted users to shady websites. 

Certainly, GitLab was not prepared for any such attack since the e-mail infrastructure had slackened, interrupted, and queued legit e-mails according to an incident status report published by the company. They said, “We confirmed that mail latency was caused by a user’s spam attack. Mitigation is in progress, as we drain the offending job processing queues.” 

Spamming source code repository seems to be a new strategy for spamming communities, who have generically targeted their comments of shady links on websites, forums, and news portals in recent years. Although spam isn't an attractive attack vector, many businesses frequently struggle to protect servers, web applications and subdomains and often end up exploiting these services to host or actually participate in spam attacks.
Read more »
Subscribe to: Posts (Atom)