Github Action Secrets Aren. Many enterprises use GitHub Action Secrets to store and protect sensitive information such as credentials, API keys, and tokens used in CI/CD workflows.
ws. These private repositories are widely assumed to be safe and locked down.
But attackers are now exploiting that blind trust, according to new research from the Wiz Customer Incident Response Team. They found that threat actors are using exposed GitHub Personal Access Tokens (PATs) to access GitHub Action Secrets and sneak into cloud environments, then run amok.
GitHub Action Secrets aren’t secrets anymore
Wiz estimates that 73% of organizations using private GitHub Action Secrets repositories store cloud service provider (CSP) credentials within them. When PATs, which allow developers and automation bots to interact with GitHub repositories and workflows, are exploited, attackers can easily move laterally to CSP control planes.
PATs can become a “powerful springboard” that allows attackers to impersonate developers and carry out a range of activities, explained Erik Avakian, technical counselor at Info-Tech Research Group. It’s like having a backstage pass into a company’s cloud environments, he said.
“Once they’re holding that valid PAT, they can do all sorts of things in GitHub that lead directly back into a company’s AWS, Azure, GCP, or other types of cloud services, because GitHub treats that PAT like the real developer,” he said.
With that access, threat actors can “poke around” various repositories and workflows and look for anything that hints at cloud access, configuration items, scripts, and hidden secrets, he noted. If they get access to real cloud credentials, they “have the keys to the company’s AWS bucket, Azure subscriptions, and other workflows.”
Easily evading detection
Wiz found that a threat actor with basic read permissions via a PAT can use GitHub’s API code search to discover secret names embedded directly in a workflow’s yaml code, accessed via “${{ secrets.SECRET_NAME }}.”
The danger is that this secret discovery method is difficult to monitor because search API calls are not logged. Further, GitHub-hosted Actions run from GitHub-managed resources that use legitimate, shared IP addresses not flagged as malicious. Attackers can abuse secrets, impersonate workflow origins to exploit trust, and potentially access other resources if code is misconfigured or reused elsewhere in the workflows.
How enterprise leaders can respond
To protect themselves against these threats, enterprises should treat PATs as they would any other privileged credentials, Avakian noted. Cloud infrastructure and cloud development environments should be properly locked down, essentially “zero trustifying” them through micro segmentation and privileged user management to contain them and prevent lateral pivoting.
“Like any other credentials, tokens are best secured when they have reasonable expiration dates,” said Avakian. “Making tokens expire, rotating them, and using short-lived credentials will help thwart these types of risks.”
Least privilege everything and give accounts only the rights they need, rather than an ‘admin everything’ approach, Avakian advised. More importantly, move cloud secrets out of GitHub workflows and ensure that the proper amount of monitoring and log review processes are in place to flag surprise or unexpected workflow or cloud creation events.
Beauceron’s Shipley agreed, saying that enterprises need a multi-pronged strategy, good monitoring, instant response plans, and developer training processes that are reinforced with “meaningful consequences” for non-compliance. Developers must be motivated to follow secure coding best practices; building a strong security culture in developer teams is huge. “You can’t buy a blinky box for that part of the problem,” he said.
TAGS: github, cloud security, software development, cybersecurity
SEO_DATA:
SEO_TITLE: GitHub Action Secrets Not Secret Anymore: Exposed PATs Pose Threat
SEO_DESC: Learn how exposed GitHub Personal Access Tokens (PATs) can lead to cloud environment breaches and discover ways to protect against these threats.
FOCUS_KW: GitHub Action Secrets
