The presentation discusses the vulnerabilities, attacks, and countermeasures related to GitHub Actions, a continuous integration tool used in DevOps methodology.
- GitHub Actions automate tasks in software development life cycle
- The presentation demonstrates the risks of using Runners, the servers provided by GitHub to run Actions
- Attackers can leverage Runners to mine cryptocurrencies, pivot into other targets, and distribute backdoors into different repositories
- The problem of third-party dependencies via the GitHub Actions Marketplace is highlighted
- Creating a fake GitHub Action can make runners act as bots to target other victims and be used in supply-chain attacks
The presenter shares a fun fact that the population of the whole country of Ireland is less than the city of Rio De Janeiro, illustrating the difference in scale between the two regions.
More organizations are applying a DevOps methodology to optimize software development. One of the main tools used in this process is a continuous integration (CI) tool that automates code changes from multiple developers working on the same project. In 2019, GitHub released its own CI tool called GitHub Actions. According to GitHub, GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. This talk plans to demonstrate how GitHub Actions work and show security measures to protect your Actions from misuse by attackers. First, we'll do a deep dive into the Runners, the servers provided by GitHub to run your Actions, and the risks of using them. Then, we'll show how attackers can leverage these runners to mine cryptocurrencies, pivot into other targets, and more. Lastly, we'll demonstrate how to maliciously distribute backdoors into different repositories via the GitHub Actions Marketplace. This presentation results from detailed research published earlier this year on the topic where the author investigated abuse case scenarios such as how attackers were leveraging this free service to mine cryptocurrencies on their behalf and behalf of other users, among other attack vectors. We'll also demonstrate how to perform interactive commands to the Runner servers via reverse shell, which is technically not allowed via traditional means. Ultimately, we'll show the problem of third-party dependencies via the GitHub Actions Marketplace. By demonstrating how easy it is to create a fake GitHub Action that, if used unwillingly by other projects, can make their runners act as bots to target other victims and even be used in supply-chain attacks by tampering with the result of the pipeline.