Attack.t1685 — CraftedSignal Threat Feed

Bitbucket Secret Scanning Rule Deleted

hello@craftedsignal.io — Sun, 17 Nov 2024 14:22:00 +0000

Attackers with sufficient privileges within a Bitbucket project or repository may delete secret scanning rules. These rules are designed to automatically detect and prevent the committing of sensitive information like API keys, passwords, and tokens directly into the codebase. By removing these rules, adversaries can bypass security controls and introduce secrets into the repository undetected. This could be a precursor to a larger attack, where the leaked secrets are used to gain unauthorized access to systems, data, or other resources. This activity may occur as a part of a broader insider threat campaign or an external attacker who has gained control of a privileged account.

Attack Chain

The attacker compromises a Bitbucket account with project or repository administrator privileges.
The attacker authenticates to the Bitbucket web interface or uses the Bitbucket API with the compromised account.
The attacker navigates to the project or repository settings where secret scanning rules are configured.
The attacker identifies the secret scanning rules in place.
The attacker initiates the deletion of one or more secret scanning rules through the Bitbucket web interface or API.
Bitbucket processes the request and removes the specified secret scanning rules.
The attacker (or another compromised account) commits code containing secrets, which are no longer detected due to the deleted rules.
The committed secrets are then potentially used for lateral movement, data exfiltration, or other malicious activities.

Impact

The deletion of secret scanning rules in Bitbucket can lead to the undetected introduction of sensitive information into the codebase. This can result in unauthorized access to systems, data breaches, and other security incidents. The impact can range from minor data exposure to significant financial losses and reputational damage, depending on the scope and sensitivity of the leaked secrets. Organizations relying on Bitbucket for source code management are vulnerable.

Recommendation

Monitor Bitbucket audit logs for events related to secret scanning rule deletions, using the provided Sigma rule to detect suspicious activity (bitbucket_audit_secret_scanning_rule_deleted.yml).
Implement multi-factor authentication (MFA) for all Bitbucket accounts, especially those with administrative privileges, to reduce the risk of account compromise.
Enforce the principle of least privilege, ensuring that users only have the necessary permissions to perform their tasks.
Regularly review and audit Bitbucket user permissions and access controls.
Implement strong password policies and encourage users to use unique, complex passwords.

GitHub Secret Scanning Feature Disabled

hello@craftedsignal.io — Fri, 19 Jul 2024 00:00:00 +0000

The disabling of GitHub’s secret scanning feature represents a significant security risk. Secret scanning is a critical control that prevents sensitive information, such as API keys, credentials, and tokens, from being committed to repositories. An attacker who gains administrative access to a GitHub organization or repository could disable this feature to facilitate the undetected introduction of secrets into the codebase. This action undermines the organization’s security posture, creating opportunities for unauthorized access and data breaches. The activity is logged via GitHub audit logs, providing an opportunity for detection. This brief focuses on detecting the actions that disable the secret scanning feature within GitHub.

Attack Chain

An attacker gains unauthorized access to a GitHub account with administrative privileges for either an organization or a specific repository.
The attacker navigates to the security settings within the organization or repository.
The attacker identifies the “Secret scanning” feature or related settings (e.g., “Secret scanning for new repositories”).
The attacker disables the secret scanning feature using the GitHub UI or API. This generates an audit log event.
The attacker commits code containing secrets to the repository.
Because secret scanning is disabled, the secrets are not detected or flagged by GitHub.
The attacker leverages the committed secrets to gain unauthorized access to other systems or data.
The attacker achieves their final objective, which could include data exfiltration, lateral movement, or service disruption.

Impact

Disabling secret scanning can lead to the exposure of sensitive credentials within a codebase. If successful, attackers can leverage these exposed secrets to compromise systems, access sensitive data, and potentially cause significant financial and reputational damage. The number of affected repositories and the extent of the damage depend on the scope of the access the attacker gains and the criticality of the exposed secrets. This can affect any organization that uses Github for source code management.

Recommendation

Deploy the “Github Secret Scanning Feature Disabled” Sigma rule to your SIEM to detect unauthorized disabling of the feature (logsource: github, service: audit).
Investigate any detected instances of secret scanning being disabled to determine if they were authorized administrative actions.
Enable audit log streaming to ensure the required logs are available (see logsource definition).
Review GitHub access controls to ensure that only authorized personnel have the ability to modify secret scanning settings.

GitHub Push Protection Disabled

hello@craftedsignal.io — Fri, 03 May 2024 12:00:00 +0000

The GitHub push protection feature is designed to prevent secrets and sensitive information from being committed to repositories. Disabling this feature, whether at the organization, enterprise, or repository level, significantly increases the risk of accidental or intentional exposure of credentials, API keys, and other sensitive data. This can lead to unauthorized access, data breaches, and other security incidents. The actions detected can originate from administrative accounts or potentially compromised accounts with administrative privileges. This brief focuses on detecting the disabling of push protection, allowing security teams to respond and remediate the configuration.

Attack Chain

An attacker gains unauthorized access to a GitHub account with administrative privileges, or a legitimate administrator performs the action.
The attacker navigates to the organization, enterprise, or repository settings in GitHub.
The attacker locates the “Secret scanning” or “Push protection” configuration section.
The attacker disables the push protection feature for the organization, enterprise, or specific repositories. This can be done via the GitHub UI or API.
GitHub audit logs record the event with the actions business_secret_scanning_custom_pattern_push_protection.disabled, business_secret_scanning_push_protection.disable, org.secret_scanning_custom_pattern_push_protection_disabled, etc..
Developers unknowingly or intentionally commit code containing secrets or sensitive data to the affected repositories.
The secrets are pushed to the remote repository without being blocked by push protection.
The exposed secrets can be discovered by malicious actors, leading to account compromise, data breaches, or other security incidents.

Impact

Disabling push protection can lead to the exposure of sensitive information such as API keys, passwords, and other credentials within GitHub repositories. This exposure can lead to account compromise, unauthorized access to systems and data, and potentially significant financial and reputational damage. The number of affected repositories and the severity of the impact depends on the scope of the push protection disabling and the types of secrets committed to the repositories.

Recommendation

Deploy the Sigma rule “Github Push Protection Disabled” to your SIEM and tune for your environment to detect when push protection is disabled.
Investigate any detected instances of push protection being disabled in the GitHub audit logs (logsource: github, service: audit) to verify the legitimacy of the action.
Enforce multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges, to prevent unauthorized access.
Regularly review and audit GitHub organization and repository settings to ensure that push protection is enabled and properly configured.

Bitbucket Global Secret Scanning Rule Deletion

hello@craftedsignal.io — Mon, 29 Apr 2024 14:00:00 +0000

This threat brief addresses the deletion of global secret scanning rules within Bitbucket environments. Secret scanning is a crucial defense mechanism used to prevent sensitive information, such as API keys and passwords, from being committed to repositories. An attacker with global administration privileges could intentionally delete these rules to bypass security controls. This action could occur post-compromise, as part of an insider threat, or due to accidental misconfiguration. The impact of this activity centers around an increased risk of sensitive data exposure, which can lead to further compromise or data breaches. Defenders should monitor Bitbucket audit logs for such deletions.

Attack Chain

The attacker gains valid credentials with global administrator privileges within the Bitbucket environment, possibly through credential stuffing or phishing.
The attacker authenticates to the Bitbucket web interface or uses the Bitbucket API with their compromised credentials.
The attacker navigates to the global secret scanning rule configuration page.
The attacker identifies and selects one or more global secret scanning rules currently in effect.
The attacker initiates the deletion process for the selected rules, confirming the action when prompted.
Bitbucket processes the deletion request, removing the rules from the global configuration.
The system generates an audit log event indicating the deletion of the global secret scanning rule.
With secret scanning disabled, developers may inadvertently commit secrets into Bitbucket repositories, making them available to the attacker.

Impact

Successful deletion of global secret scanning rules can have significant impact. Without active secret scanning, developers may unintentionally commit sensitive information (API keys, passwords, tokens) into Bitbucket repositories. This could lead to account takeovers, data breaches, or lateral movement within the organization’s infrastructure. The number of affected repositories and exposed secrets will vary depending on the scope of the attacker’s access and the activity of developers during the period when the rules were disabled.

Recommendation

Deploy the provided Sigma rule to detect the deletion of global secret scanning rules in Bitbucket audit logs, focusing on auditType.category: 'Global administration' and auditType.action: 'Global secret scanning rule deleted' (Sigma rule).
Investigate any detected instances of global secret scanning rule deletion to determine if the action was authorized and performed by a legitimate user.
Implement multi-factor authentication (MFA) for all Bitbucket accounts, especially those with administrative privileges, to reduce the risk of credential compromise.
Regularly review Bitbucket user permissions and roles to ensure that users have only the necessary level of access.
Enable “Basic” logging level, as required, to ensure the necessary audit events are generated (logsource definition).

Bitbucket Repository Exempted from Secret Scanning

hello@craftedsignal.io — Mon, 29 Apr 2024 12:00:00 +0000

Attackers can weaken an organization’s security posture by disabling or bypassing security controls within Bitbucket. This allows sensitive information, such as API keys, passwords, and other credentials, to be committed to the repository without detection. By adding a repository to the secret scanning exemption list, attackers can effectively disable a key preventative measure, making it easier to introduce and maintain compromised credentials within the codebase. This can lead to unauthorized access, data breaches, and other serious security incidents. This technique allows attackers to impair defenses, avoiding detection of secrets being committed to the repository.

Attack Chain

An attacker gains unauthorized access to a Bitbucket account with repository administration privileges.
The attacker navigates to the repository settings within Bitbucket.
The attacker accesses the secret scanning configuration for the repository.
The attacker identifies the option to add the repository to the exemption list for secret scanning.
The attacker adds the repository to the exemption list, effectively disabling secret scanning for that repository.
The attacker commits sensitive information (secrets, credentials) to the now-exempt repository.
The secrets are committed without triggering secret scanning alerts.
The attacker uses the committed secrets to gain unauthorized access to other systems or data.

Impact

Compromising secrets within a Bitbucket repository can lead to a variety of negative consequences, including unauthorized access to sensitive data, compromised infrastructure, and data breaches. While the exact number of affected organizations is unknown, the potential impact is significant for any organization using Bitbucket to store code and manage secrets. Successful exploitation allows attackers to move laterally within the network and escalate privileges.

Recommendation

Deploy the Sigma rule “Bitbucket Secret Scanning Exempt Repository Added” to your SIEM to detect when a repository is added to the secret scanning exemption list (logsource: bitbucket).
Investigate any detected instances of repositories being added to the secret scanning exemption list to determine if the change was authorized.
Ensure that appropriate access controls are in place to prevent unauthorized users from modifying repository settings.
Review Bitbucket audit logs regularly to identify suspicious activity related to secret scanning configuration changes (logsource: bitbucket).

Bitbucket Project Secret Scanning Allowlist Added

hello@craftedsignal.io — Mon, 29 Apr 2024 12:00:00 +0000

The addition of a secret scanning allowlist rule to a Bitbucket project can be abused by malicious actors to bypass security controls. While not inherently malicious, this action can be exploited to weaken an organization’s security posture. Secret scanning tools are designed to prevent the accidental or intentional commit of sensitive information (API keys, passwords, etc.) into version control systems. By adding an allowlist rule, specific patterns or files can be excluded from these scans. This could be leveraged by an attacker who has gained access to a Bitbucket account or project to intentionally introduce secrets while avoiding detection. The activity is logged by Bitbucket’s audit logs, providing an opportunity for detection.

Attack Chain

The attacker gains unauthorized access to a Bitbucket account with sufficient privileges to modify project settings.
The attacker navigates to the project settings within Bitbucket.
The attacker accesses the secret scanning configuration for the project.
The attacker adds a new allowlist rule, specifying a pattern or file to be excluded from secret scanning.
The attacker commits code containing secrets that match the allowlist rule, effectively bypassing the secret scanning tool.
The changes are pushed to the Bitbucket repository.
The secrets remain undetected due to the allowlist rule.
The attacker leverages the exposed secrets for further malicious activities, such as gaining access to other systems or data.

Impact

Successful exploitation could lead to the exposure of sensitive information such as API keys, passwords, or other credentials. This can result in unauthorized access to internal systems, data breaches, and reputational damage. The number of affected projects depends on the scope of the attacker’s access and the configuration of the allowlist rule. The addition of the allowlist rule itself does not directly cause damage but creates a window of opportunity for the introduction and persistence of secrets within the codebase.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect the addition of secret scanning allowlist rules (logsource: bitbucket, service: audit).
Investigate any detected instances of allowlist rule additions to verify their legitimacy and business justification.
Review and enforce strict access controls for Bitbucket projects to minimize the risk of unauthorized modifications.
Enable “Basic” log level in Bitbucket to ensure that the audit events required for detection are captured, as indicated in the rule definition.