Apr 16, 2024NewsroomCloud Security / DevSecOps

New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations.

The vulnerability has been codenamed LeakyCLI by cloud security firm Orca.

“Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions,” security researcher Roi Nisimi said in a report shared with The Hacker News.

Microsoft has since addressed the issue as part of security updates released in November 2023, assigned it the CVE identifier CVE-2023-36052 (CVSS score: 8.6).

The idea, in a nutshell, has to do with how the CLI commands such as could be used to show (pre-)defined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. A list of such commands spanning AWS and Google Cloud is below 0

• aws lambda get-function-configuration
• aws lambda get-function
• aws lambda update-function-configuration
• aws lambda update-function-code
• aws lambda publish-version
• gcloud functions deploy <func> –set-env-vars
• gcloud functions deploy <func> –update-env-vars
• gcloud functions deploy <func> –remove-env-vars

Orca said it found several projects on GitHub that inadvertently leaked access tokens and other sensitive data via Github Actions, CircleCI, TravisCI, and Cloud Build logs.

Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager.

Google also recommends the use of the “–no-user-output-enabled” option to suppress the printing of command output to standard output and standard error in the terminal.

“If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can,” Nisimi said.

“CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat.”

Feb 20, 2024The Hacker NewsWebinar / Incident Response

In the tumultuous landscape of cybersecurity, the year 2023 left an indelible mark with the brazen exploits of the Scattered Spider threat group. Their attacks targeted the nerve centers of major financial and insurance institutions, culminating in what stands as one of the most impactful ransomware assaults in recent memory.

When organizations have no response plan in place for such an attack, it can become overwhelming attempting to prioritize the next steps that will have a compounding impact on the threat actor’s ability to retain access to and control over a compromised network.

Silverfort’s threat research team interacted closely with the identity threats used by Scattered Spider. and in fact, built a response playbook in real time to respond to an active Scattered Spider attack. This webinar will dissect the real-life scenario in which they were called upon to build and execute a response plan while attackers were moving inside an organization’s hybrid environment.

Hear directly from the Silverfort team about the challenges they faced, including how to rapidly and efficiently (and in as automated a manner as possible) meet the following response goals:

• Put ‘roadblocks’ immediately in place to protect against additional lateral movement from that point forward
• Pinpoint user accounts that were compromised, with a special emphasis on service accounts (a favored Scattered Spider target)
• Eradicate potential malicious presence from the org’s identity infrastructure (again – a favorable and publicly documented Scattered Spider technique)

Additionally, you’ll gain insights into the steps taken in response, focusing on three dimensions of lateral movement:

• User Accounts – We’ll look at the needed policies and monitoring for service accounts, admin users, and domain users
• Identity Infrastructure – We’ll discuss limiting user access, disabling insecure authentication protocols, and further harden authentication requirements
• Other Domain-Joined Machines – We’ll look at limiting inter-machine communication for user’s workstations, temporarily blocking insecure authentication protocols

See you there!