Executive Summary

The recent compromise of the "tj-actions/changed-files-action" within GitHub Actions is a significant cybersecurity incident that has impacted over 23,000 repositories globally. This report examines the technical intricacies of the attack, the potential exploitation in real-world scenarios, and offers detailed instructions on mitigation strategies. Notably, the attack exploited weaknesses in the software supply chain, allowing unauthorized access and modification of the action's code, posing a considerable risk to the confidentiality and integrity of CI/CD environments.

Technical Information

The technical compromise involved an attacker gaining write access to the "tj-actions/changed-files-action" repository. This was achieved by spoofing a commit from the legitimate Renovate bot, thereby inserting malicious code. This code was subsequently linked to multiple version tags, directing them to the malicious commit, which was an orphan commit, not part of the main branch. The manipulation of the version tags enabled the attacker to potentially exfiltrate sensitive data from workflows employing this action. A critical oversight in user practices, such as neglecting to enforce signed commits or verify commit origins, facilitated the attack. The anomaly was detected by StepSecurity's Harden-Runner, which identified suspicious outbound network requests directed at gist.githubusercontent.com. These technical details highlight the vulnerability of the supply chain and the necessity for stringent security measures in managing GitHub Actions.

Exploitation in the Wild

The exploitation of this vulnerability in the wild primarily involved the execution of arbitrary commands via the compromised action, leading to the potential leakage of CI/CD secrets. This exploitation was particularly prevalent in repositories with automerging enabled or those running the action as part of pull request builds. Indicators of Compromise (IOCs) include anomalous network traffic to gist.githubusercontent.com, the presence of spoofed Renovate commits in repository history, and retroactively updated version tags pointing to the malicious commit.

APT Groups using this vulnerability

As of the current analysis, there is no specific attribution of this vulnerability to particular Advanced Persistent Threat (APT) groups. However, given the widespread nature of the attack, it is imperative to remain vigilant against potential exploitation by various threat actors.

Affected Product Versions

The compromise affected nearly all tagged versions of the "tj-actions/changed-files" action. Notably, the malicious commit identified is 0e58ed8671d6b60d0890c21b07f8835ace038e67. Users of this action are strongly advised to review their implementation and take necessary corrective actions.

Workaround and Mitigation

To mitigate the risks associated with this vulnerability, several strategies are recommended. First, always pin GitHub Actions to specific commit hashes rather than using tags or branches to prevent unauthorized code alterations. Second, conduct regular audits of third-party actions and dependencies to detect any unauthorized changes or suspicious activity. Third, employ security tools such as StepSecurity Harden-Runner to monitor network activity and identify anomalies in CI/CD workflows. Finally, limit write access to sensitive repositories and enforce signed commits to enhance overall security.

References

For further information and insights, readers are encouraged to review the following sources: Hacker News Discussion on Compromise, StepSecurity Blog on Harden-Runner Detection, and Upwind Security Feed on Compromise.

Rescana is here for you

At Rescana, we are dedicated to helping our clients navigate the complexities of cybersecurity risk management. Our Third Party Risk Management (TPRM) platform is designed to provide comprehensive visibility into your supply chain, ensuring you are equipped to address vulnerabilities and safeguard your operations. Should you have any questions or require further assistance regarding this report or any other cybersecurity concern, please do not hesitate to contact us at ops@rescana.com.