<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>GitHub Actions Runner - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/github-actions-runner/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/github-actions-runner/feed.xml" rel="self" type="application/rss+xml"/><item><title>Detection of Unauthorized GitHub Actions Runner Registration</title><link>https://feed.craftedsignal.io/briefs/2024-01-github-actions-runner-registration/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-github-actions-runner-registration/</guid><description>The configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary can indicate malicious activity aimed at establishing remote code execution via malicious GitHub workflows.</description><content:encoded><![CDATA[<p>This threat brief focuses on the malicious registration of GitHub Actions self-hosted runners. The attack involves adversaries registering a machine as a runner to a remote GitHub repository. Once registered, the attacker gains the ability to execute arbitrary workflow commands on the host. This can lead to supply chain compromise, remote code execution, and potentially lateral movement within a network. The rule detects the execution of <code>Runner.Listener</code> or <code>Runner.Listener.exe</code> with the <code>configure</code>, <code>--url</code>, and <code>--token</code> arguments, which are indicative of runner registration. This activity is particularly concerning as it provides a persistent remote access mechanism that bypasses traditional security controls.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to a system via various methods (e.g., compromised credentials, phishing, exploiting vulnerabilities).</li>
<li>Attacker downloads the GitHub Actions Runner software to the compromised host.</li>
<li>Attacker executes <code>Runner.Listener</code> or <code>Runner.Listener.exe</code> with the <code>configure</code> argument.</li>
<li>The attacker provides the <code>--url</code> argument, pointing to a malicious or attacker-controlled GitHub repository.</li>
<li>The attacker provides the <code>--token</code> argument, authenticating the runner against the malicious repository.</li>
<li>The compromised system registers as a self-hosted runner within the attacker's GitHub repository.</li>
<li>The attacker creates or modifies workflows in the GitHub repository to execute arbitrary commands on the registered runner.</li>
<li>The attacker triggers the malicious workflow, leading to command execution on the compromised host, potentially enabling data exfiltration, lateral movement, or the deployment of malware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to execute arbitrary code on the registered runner machine. This can lead to data exfiltration, installation of malware, or use of the compromised system as a pivot point for further lateral movement within the network. The compromise can also lead to supply chain attacks if the runner has access to sensitive build processes or deployment pipelines. The scope of impact depends on the privileges of the account running the GitHub Actions Runner and the resources accessible from that host.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Remote GitHub Actions Runner Registration&quot; to detect the execution of <code>Runner.Listener</code> with suspicious arguments (logsource: process_creation).</li>
<li>Investigate any alerts triggered by the Sigma rule &quot;Remote GitHub Actions Runner Registration&quot;, focusing on the associated network and file activities.</li>
<li>Implement application whitelisting to prevent unauthorized execution of binaries like <code>Runner.Listener</code> and <code>Runner.Listener.exe</code> (logsource: process_creation).</li>
<li>Review GitHub repository details for any suspicious workflows or run commands, particularly in the <code>.github/workflows</code> folder (reference: <a href="https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise">https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise</a>).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>github-actions</category><category>supply-chain</category><category>remote-code-execution</category></item><item><title>Execution via GitHub Actions Runner</title><link>https://feed.craftedsignal.io/briefs/2024-01-github-actions-execution/</link><pubDate>Tue, 09 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-github-actions-execution/</guid><description>Compromised GitHub Actions workflows allow attackers to execute arbitrary commands on self-hosted runners, leading to code execution, file manipulation, and potential data exfiltration.</description><content:encoded><![CDATA[<p>Attackers can exploit self-hosted GitHub Actions runners by gaining the ability to modify or trigger workflows in a linked GitHub repository. This allows the execution of arbitrary commands on the runner host, potentially leading to malicious or unexpected workflow activity. This includes unauthorized code execution, file manipulation, and network exfiltration, all initiated through a compromised repository. The attacks observed leverage a variety of scripting languages and tools, including curl, wget, PowerShell, and others, to achieve their objectives, which necessitates comprehensive monitoring across different platforms. The incident observed aligns with supply chain compromise attack vectors.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains control of a GitHub repository linked to a self-hosted Actions runner, potentially through compromised credentials or a vulnerable dependency.</li>
<li>The attacker modifies a workflow file (.yml) in the repository to include malicious commands, such as downloading and executing a reverse shell.</li>
<li>The compromised workflow is triggered, either manually or by a scheduled event, causing the GitHub Actions Runner to execute the attacker's malicious code.</li>
<li>The <code>Runner.Worker</code> process spawns a command interpreter (e.g., <code>powershell.exe</code>, <code>bash</code>) to execute the attacker-controlled commands embedded in the workflow.</li>
<li>The attacker utilizes tools like <code>curl</code> or <code>wget</code> to download additional payloads or scripts from external sources to the runner machine.</li>
<li>Using <code>certutil.exe</code> the attacker downloads and decodes additional payloads.</li>
<li>The attacker establishes persistence by adding a scheduled task or modifying registry keys using commands executed via the GitHub Actions runner.</li>
<li>The attacker exfiltrates sensitive data from the runner host to an external server using tools like <code>curl</code> or <code>powershell</code>.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to execute arbitrary code on the self-hosted runner machine. This can lead to the compromise of sensitive data stored on the runner, such as credentials or API keys. Attackers can also use the compromised runner as a pivot point to gain access to other internal systems. Observed attacks have focused on supply chain compromises with an unknown number of victims. The impact can range from data breaches and financial loss to reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Execution via GitHub Actions Runner - Suspicious Tools&quot; to detect the execution of common attacker tools spawned by the GitHub Actions runner (rule: Execution via GitHub Actions Runner - Suspicious Tools).</li>
<li>Monitor process execution logs for child processes of <code>Runner.Worker</code> or <code>Runner.Worker.exe</code> that execute suspicious commands (log source: process_creation).</li>
<li>Implement application whitelisting to prevent unauthorized execution of binaries on the self-hosted runner machines (general hardening guidance).</li>
<li>Review and audit GitHub workflow configurations for any unauthorized or suspicious modifications (GitHub audit logs).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>github-actions</category><category>supply-chain</category><category>execution</category></item></channel></rss>