{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/github-actions-runner/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub Actions Runner"],"_cs_severities":["medium"],"_cs_tags":["github-actions","supply-chain","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on the malicious registration of GitHub Actions self-hosted runners. The attack involves adversaries registering a machine as a runner to a remote GitHub repository. Once registered, the attacker gains the ability to execute arbitrary workflow commands on the host. This can lead to supply chain compromise, remote code execution, and potentially lateral movement within a network. The rule detects the execution of \u003ccode\u003eRunner.Listener\u003c/code\u003e or \u003ccode\u003eRunner.Listener.exe\u003c/code\u003e with the \u003ccode\u003econfigure\u003c/code\u003e, \u003ccode\u003e--url\u003c/code\u003e, and \u003ccode\u003e--token\u003c/code\u003e arguments, which are indicative of runner registration. This activity is particularly concerning as it provides a persistent remote access mechanism that bypasses traditional security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system via various methods (e.g., compromised credentials, phishing, exploiting vulnerabilities).\u003c/li\u003e\n\u003cli\u003eAttacker downloads the GitHub Actions Runner software to the compromised host.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003eRunner.Listener\u003c/code\u003e or \u003ccode\u003eRunner.Listener.exe\u003c/code\u003e with the \u003ccode\u003econfigure\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the \u003ccode\u003e--url\u003c/code\u003e argument, pointing to a malicious or attacker-controlled GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the \u003ccode\u003e--token\u003c/code\u003e argument, authenticating the runner against the malicious repository.\u003c/li\u003e\n\u003cli\u003eThe compromised system registers as a self-hosted runner within the attacker's GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies workflows in the GitHub repository to execute arbitrary commands on the registered runner.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the malicious workflow, leading to command execution on the compromised host, potentially enabling data exfiltration, lateral movement, or the deployment of malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the registered runner machine. This can lead to data exfiltration, installation of malware, or use of the compromised system as a pivot point for further lateral movement within the network. The compromise can also lead to supply chain attacks if the runner has access to sensitive build processes or deployment pipelines. The scope of impact depends on the privileges of the account running the GitHub Actions Runner and the resources accessible from that host.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Remote GitHub Actions Runner Registration\u0026quot; to detect the execution of \u003ccode\u003eRunner.Listener\u003c/code\u003e with suspicious arguments (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule \u0026quot;Remote GitHub Actions Runner Registration\u0026quot;, focusing on the associated network and file activities.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of binaries like \u003ccode\u003eRunner.Listener\u003c/code\u003e and \u003ccode\u003eRunner.Listener.exe\u003c/code\u003e (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eReview GitHub repository details for any suspicious workflows or run commands, particularly in the \u003ccode\u003e.github/workflows\u003c/code\u003e folder (reference: \u003ca href=\"https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise\"\u003ehttps://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-github-actions-runner-registration/","summary":"The configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary can indicate malicious activity aimed at establishing remote code execution via malicious GitHub workflows.","title":"Detection of Unauthorized GitHub Actions Runner Registration","url":"https://feed.craftedsignal.io/briefs/2024-01-github-actions-runner-registration/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub Actions Runner"],"_cs_severities":["medium"],"_cs_tags":["github-actions","supply-chain","execution"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eAttackers can exploit self-hosted GitHub Actions runners by gaining the ability to modify or trigger workflows in a linked GitHub repository. This allows the execution of arbitrary commands on the runner host, potentially leading to malicious or unexpected workflow activity. This includes unauthorized code execution, file manipulation, and network exfiltration, all initiated through a compromised repository. The attacks observed leverage a variety of scripting languages and tools, including curl, wget, PowerShell, and others, to achieve their objectives, which necessitates comprehensive monitoring across different platforms. The incident observed aligns with supply chain compromise attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control of a GitHub repository linked to a self-hosted Actions runner, potentially through compromised credentials or a vulnerable dependency.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies a workflow file (.yml) in the repository to include malicious commands, such as downloading and executing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe compromised workflow is triggered, either manually or by a scheduled event, causing the GitHub Actions Runner to execute the attacker's malicious code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRunner.Worker\u003c/code\u003e process spawns a command interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e) to execute the attacker-controlled commands embedded in the workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes tools like \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download additional payloads or scripts from external sources to the runner machine.\u003c/li\u003e\n\u003cli\u003eUsing \u003ccode\u003ecertutil.exe\u003c/code\u003e the attacker downloads and decodes additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by adding a scheduled task or modifying registry keys using commands executed via the GitHub Actions runner.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the runner host to an external server using tools like \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003epowershell\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the self-hosted runner machine. This can lead to the compromise of sensitive data stored on the runner, such as credentials or API keys. Attackers can also use the compromised runner as a pivot point to gain access to other internal systems. Observed attacks have focused on supply chain compromises with an unknown number of victims. The impact can range from data breaches and financial loss to reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Execution via GitHub Actions Runner - Suspicious Tools\u0026quot; to detect the execution of common attacker tools spawned by the GitHub Actions runner (rule: Execution via GitHub Actions Runner - Suspicious Tools).\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for child processes of \u003ccode\u003eRunner.Worker\u003c/code\u003e or \u003ccode\u003eRunner.Worker.exe\u003c/code\u003e that execute suspicious commands (log source: process_creation).\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of binaries on the self-hosted runner machines (general hardening guidance).\u003c/li\u003e\n\u003cli\u003eReview and audit GitHub workflow configurations for any unauthorized or suspicious modifications (GitHub audit logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:30:00Z","date_published":"2024-01-09T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-github-actions-execution/","summary":"Compromised GitHub Actions workflows allow attackers to execute arbitrary commands on self-hosted runners, leading to code execution, file manipulation, and potential data exfiltration.","title":"Execution via GitHub Actions Runner","url":"https://feed.craftedsignal.io/briefs/2024-01-github-actions-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - GitHub Actions Runner","version":"https://jsonfeed.org/version/1.1"}