{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1685/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1685"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eAttackers with sufficient privileges within a Bitbucket project or repository may delete secret scanning rules. These rules are designed to automatically detect and prevent the committing of sensitive information like API keys, passwords, and tokens directly into the codebase. By removing these rules, adversaries can bypass security controls and introduce secrets into the repository undetected. This could be a precursor to a larger attack, where the leaked secrets are used to gain unauthorized access to systems, data, or other resources. This activity may occur as a part of a broader insider threat campaign or an external attacker who has gained control of a privileged account.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a Bitbucket account with project or repository administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Bitbucket web interface or uses the Bitbucket API with the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the project or repository settings where secret scanning rules are configured.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the secret scanning rules in place.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the deletion of one or more secret scanning rules through the Bitbucket web interface or API.\u003c/li\u003e\n\u003cli\u003eBitbucket processes the request and removes the specified secret scanning rules.\u003c/li\u003e\n\u003cli\u003eThe attacker (or another compromised account) commits code containing secrets, which are no longer detected due to the deleted rules.\u003c/li\u003e\n\u003cli\u003eThe committed secrets are then potentially used for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of secret scanning rules in Bitbucket can lead to the undetected introduction of sensitive information into the codebase. This can result in unauthorized access to systems, data breaches, and other security incidents. The impact can range from minor data exposure to significant financial losses and reputational damage, depending on the scope and sensitivity of the leaked secrets. Organizations relying on Bitbucket for source code management are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Bitbucket audit logs for events related to secret scanning rule deletions, using the provided Sigma rule to detect suspicious activity (\u003ccode\u003ebitbucket_audit_secret_scanning_rule_deleted.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Bitbucket accounts, especially those with administrative privileges, to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege, ensuring that users only have the necessary permissions to perform their tasks.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Bitbucket user permissions and access controls.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and encourage users to use unique, complex passwords.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-17T14:22:00Z","date_published":"2024-11-17T14:22:00Z","id":"/briefs/2024-11-bitbucket-secret-rule-deletion/","summary":"Attackers may delete secret scanning rules in Bitbucket to impair defenses and introduce secrets into the code repository undetected, potentially leading to unauthorized access or data breaches.","title":"Bitbucket Secret Scanning Rule Deleted","url":"https://feed.craftedsignal.io/briefs/2024-11-bitbucket-secret-rule-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["high"],"_cs_tags":["attack.defense-impairment","attack.t1685"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eThe disabling of GitHub\u0026rsquo;s secret scanning feature represents a significant security risk. Secret scanning is a critical control that prevents sensitive information, such as API keys, credentials, and tokens, from being committed to repositories. An attacker who gains administrative access to a GitHub organization or repository could disable this feature to facilitate the undetected introduction of secrets into the codebase. This action undermines the organization\u0026rsquo;s security posture, creating opportunities for unauthorized access and data breaches. The activity is logged via GitHub audit logs, providing an opportunity for detection. This brief focuses on detecting the actions that disable the secret scanning feature within GitHub.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with administrative privileges for either an organization or a specific repository.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the security settings within the organization or repository.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u0026ldquo;Secret scanning\u0026rdquo; feature or related settings (e.g., \u0026ldquo;Secret scanning for new repositories\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker disables the secret scanning feature using the GitHub UI or API. This generates an audit log event.\u003c/li\u003e\n\u003cli\u003eThe attacker commits code containing secrets to the repository.\u003c/li\u003e\n\u003cli\u003eBecause secret scanning is disabled, the secrets are not detected or flagged by GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the committed secrets to gain unauthorized access to other systems or data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, lateral movement, or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling secret scanning can lead to the exposure of sensitive credentials within a codebase. If successful, attackers can leverage these exposed secrets to compromise systems, access sensitive data, and potentially cause significant financial and reputational damage. The number of affected repositories and the extent of the damage depend on the scope of the access the attacker gains and the criticality of the exposed secrets. This can affect any organization that uses Github for source code management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Github Secret Scanning Feature Disabled\u0026rdquo; Sigma rule to your SIEM to detect unauthorized disabling of the feature (logsource: github, service: audit).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of secret scanning being disabled to determine if they were authorized administrative actions.\u003c/li\u003e\n\u003cli\u003eEnable audit log streaming to ensure the required logs are available (see logsource definition).\u003c/li\u003e\n\u003cli\u003eReview GitHub access controls to ensure that only authorized personnel have the ability to modify secret scanning settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-19T00:00:00Z","date_published":"2024-07-19T00:00:00Z","id":"/briefs/2024-07-github-secret-scanning-disabled/","summary":"Detection of the disabling of GitHub secret scanning at the business or repository level, potentially increasing the risk of exposed credentials and secrets.","title":"GitHub Secret Scanning Feature Disabled","url":"https://feed.craftedsignal.io/briefs/2024-07-github-secret-scanning-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise Cloud"],"_cs_severities":["high"],"_cs_tags":["attack.defense-impairment","attack.t1685"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThe GitHub push protection feature is designed to prevent secrets and sensitive information from being committed to repositories. Disabling this feature, whether at the organization, enterprise, or repository level, significantly increases the risk of accidental or intentional exposure of credentials, API keys, and other sensitive data. This can lead to unauthorized access, data breaches, and other security incidents. The actions detected can originate from administrative accounts or potentially compromised accounts with administrative privileges. This brief focuses on detecting the disabling of push protection, allowing security teams to respond and remediate the configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with administrative privileges, or a legitimate administrator performs the action.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization, enterprise, or repository settings in GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the \u0026ldquo;Secret scanning\u0026rdquo; or \u0026ldquo;Push protection\u0026rdquo; configuration section.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the push protection feature for the organization, enterprise, or specific repositories. This can be done via the GitHub UI or API.\u003c/li\u003e\n\u003cli\u003eGitHub audit logs record the event with the actions \u003ccode\u003ebusiness_secret_scanning_custom_pattern_push_protection.disabled\u003c/code\u003e, \u003ccode\u003ebusiness_secret_scanning_push_protection.disable\u003c/code\u003e, \u003ccode\u003eorg.secret_scanning_custom_pattern_push_protection_disabled\u003c/code\u003e, etc..\u003c/li\u003e\n\u003cli\u003eDevelopers unknowingly or intentionally commit code containing secrets or sensitive data to the affected repositories.\u003c/li\u003e\n\u003cli\u003eThe secrets are pushed to the remote repository without being blocked by push protection.\u003c/li\u003e\n\u003cli\u003eThe exposed secrets can be discovered by malicious actors, leading to account compromise, data breaches, or other security incidents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling push protection can lead to the exposure of sensitive information such as API keys, passwords, and other credentials within GitHub repositories. This exposure can lead to account compromise, unauthorized access to systems and data, and potentially significant financial and reputational damage. The number of affected repositories and the severity of the impact depends on the scope of the push protection disabling and the types of secrets committed to the repositories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Push Protection Disabled\u0026rdquo; to your SIEM and tune for your environment to detect when push protection is disabled.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of push protection being disabled in the GitHub audit logs (logsource: github, service: audit) to verify the legitimacy of the action.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges, to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub organization and repository settings to ensure that push protection is enabled and properly configured.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T12:00:00Z","date_published":"2024-05-03T12:00:00Z","id":"/briefs/2024-05-github-push-protection-disabled/","summary":"An administrator has disabled the GitHub push protection feature, potentially allowing secrets and other sensitive information to be pushed to repositories.","title":"GitHub Push Protection Disabled","url":"https://feed.craftedsignal.io/briefs/2024-05-github-push-protection-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1685"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eThis threat brief addresses the deletion of global secret scanning rules within Bitbucket environments. Secret scanning is a crucial defense mechanism used to prevent sensitive information, such as API keys and passwords, from being committed to repositories. An attacker with global administration privileges could intentionally delete these rules to bypass security controls. This action could occur post-compromise, as part of an insider threat, or due to accidental misconfiguration. The impact of this activity centers around an increased risk of sensitive data exposure, which can lead to further compromise or data breaches. Defenders should monitor Bitbucket audit logs for such deletions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains valid credentials with global administrator privileges within the Bitbucket environment, possibly through credential stuffing or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Bitbucket web interface or uses the Bitbucket API with their compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the global secret scanning rule configuration page.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies and selects one or more global secret scanning rules currently in effect.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the deletion process for the selected rules, confirming the action when prompted.\u003c/li\u003e\n\u003cli\u003eBitbucket processes the deletion request, removing the rules from the global configuration.\u003c/li\u003e\n\u003cli\u003eThe system generates an audit log event indicating the deletion of the global secret scanning rule.\u003c/li\u003e\n\u003cli\u003eWith secret scanning disabled, developers may inadvertently commit secrets into Bitbucket repositories, making them available to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of global secret scanning rules can have significant impact. Without active secret scanning, developers may unintentionally commit sensitive information (API keys, passwords, tokens) into Bitbucket repositories. This could lead to account takeovers, data breaches, or lateral movement within the organization\u0026rsquo;s infrastructure. The number of affected repositories and exposed secrets will vary depending on the scope of the attacker\u0026rsquo;s access and the activity of developers during the period when the rules were disabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect the deletion of global secret scanning rules in Bitbucket audit logs, focusing on \u003ccode\u003eauditType.category: 'Global administration'\u003c/code\u003e and \u003ccode\u003eauditType.action: 'Global secret scanning rule deleted'\u003c/code\u003e (Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of global secret scanning rule deletion to determine if the action was authorized and performed by a legitimate user.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Bitbucket accounts, especially those with administrative privileges, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly review Bitbucket user permissions and roles to ensure that users have only the necessary level of access.\u003c/li\u003e\n\u003cli\u003eEnable \u0026ldquo;Basic\u0026rdquo; logging level, as required, to ensure the necessary audit events are generated (logsource definition).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T14:00:00Z","date_published":"2024-04-29T14:00:00Z","id":"/briefs/2024-04-bitbucket-secret-rule-delete/","summary":"An adversary with administrative privileges may delete global secret scanning rules in Bitbucket to impair defenses and exfiltrate sensitive data without detection.","title":"Bitbucket Global Secret Scanning Rule Deletion","url":"https://feed.craftedsignal.io/briefs/2024-04-bitbucket-secret-rule-delete/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket Server"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1685","bitbucket"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eAttackers can weaken an organization\u0026rsquo;s security posture by disabling or bypassing security controls within Bitbucket. This allows sensitive information, such as API keys, passwords, and other credentials, to be committed to the repository without detection. By adding a repository to the secret scanning exemption list, attackers can effectively disable a key preventative measure, making it easier to introduce and maintain compromised credentials within the codebase. This can lead to unauthorized access, data breaches, and other serious security incidents. This technique allows attackers to impair defenses, avoiding detection of secrets being committed to the repository.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Bitbucket account with repository administration privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the repository settings within Bitbucket.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the secret scanning configuration for the repository.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the option to add the repository to the exemption list for secret scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker adds the repository to the exemption list, effectively disabling secret scanning for that repository.\u003c/li\u003e\n\u003cli\u003eThe attacker commits sensitive information (secrets, credentials) to the now-exempt repository.\u003c/li\u003e\n\u003cli\u003eThe secrets are committed without triggering secret scanning alerts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the committed secrets to gain unauthorized access to other systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising secrets within a Bitbucket repository can lead to a variety of negative consequences, including unauthorized access to sensitive data, compromised infrastructure, and data breaches. While the exact number of affected organizations is unknown, the potential impact is significant for any organization using Bitbucket to store code and manage secrets. Successful exploitation allows attackers to move laterally within the network and escalate privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Bitbucket Secret Scanning Exempt Repository Added\u0026rdquo; to your SIEM to detect when a repository is added to the secret scanning exemption list (logsource: bitbucket).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of repositories being added to the secret scanning exemption list to determine if the change was authorized.\u003c/li\u003e\n\u003cli\u003eEnsure that appropriate access controls are in place to prevent unauthorized users from modifying repository settings.\u003c/li\u003e\n\u003cli\u003eReview Bitbucket audit logs regularly to identify suspicious activity related to secret scanning configuration changes (logsource: bitbucket).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-bitbucket-secret-scanning-exempt/","summary":"An attacker may attempt to disable or bypass secret scanning on a Bitbucket repository to avoid detection of committed secrets, potentially leading to credential compromise and subsequent unauthorized access.","title":"Bitbucket Repository Exempted from Secret Scanning","url":"https://feed.craftedsignal.io/briefs/2024-04-bitbucket-secret-scanning-exempt/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["low"],"_cs_tags":["attack.defense-impairment","attack.t1685"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eThe addition of a secret scanning allowlist rule to a Bitbucket project can be abused by malicious actors to bypass security controls. While not inherently malicious, this action can be exploited to weaken an organization\u0026rsquo;s security posture. Secret scanning tools are designed to prevent the accidental or intentional commit of sensitive information (API keys, passwords, etc.) into version control systems. By adding an allowlist rule, specific patterns or files can be excluded from these scans. This could be leveraged by an attacker who has gained access to a Bitbucket account or project to intentionally introduce secrets while avoiding detection. The activity is logged by Bitbucket\u0026rsquo;s audit logs, providing an opportunity for detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a Bitbucket account with sufficient privileges to modify project settings.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the project settings within Bitbucket.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the secret scanning configuration for the project.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a new allowlist rule, specifying a pattern or file to be excluded from secret scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker commits code containing secrets that match the allowlist rule, effectively bypassing the secret scanning tool.\u003c/li\u003e\n\u003cli\u003eThe changes are pushed to the Bitbucket repository.\u003c/li\u003e\n\u003cli\u003eThe secrets remain undetected due to the allowlist rule.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed secrets for further malicious activities, such as gaining access to other systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the exposure of sensitive information such as API keys, passwords, or other credentials. This can result in unauthorized access to internal systems, data breaches, and reputational damage. The number of affected projects depends on the scope of the attacker\u0026rsquo;s access and the configuration of the allowlist rule. The addition of the allowlist rule itself does not directly cause damage but creates a window of opportunity for the introduction and persistence of secrets within the codebase.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the addition of secret scanning allowlist rules (logsource: bitbucket, service: audit).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of allowlist rule additions to verify their legitimacy and business justification.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access controls for Bitbucket projects to minimize the risk of unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnable \u0026ldquo;Basic\u0026rdquo; log level in Bitbucket to ensure that the audit events required for detection are captured, as indicated in the rule definition.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-bitbucket-secret-scanning-allowlist/","summary":"An adversary may impair defenses by adding a secret scanning allowlist rule for Bitbucket projects, potentially allowing secrets to be committed and exposed.","title":"Bitbucket Project Secret Scanning Allowlist Added","url":"https://feed.craftedsignal.io/briefs/2024-04-bitbucket-secret-scanning-allowlist/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1685","version":"https://jsonfeed.org/version/1.1"}