{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/certificate/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["medium"],"_cs_tags":["github","ssh","certificate","initial-access","persistence","privilege-escalation","stealth","t1078.004"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eAttackers can abuse SSH certificate authorities in GitHub to gain unauthorized access to repositories. By creating or disabling SSH certificate requirements, attackers can bypass existing security controls and establish persistent access. This activity is logged in the GitHub audit logs, specifically when \u003ccode\u003essh_certificate_authority.create\u003c/code\u003e or \u003ccode\u003essh_certificate_requirement.disable\u003c/code\u003e actions are performed. Successful exploitation allows attackers to commit malicious code, steal sensitive data, or disrupt development workflows, impacting the integrity and confidentiality of the organization\u0026rsquo;s resources. The GitHub audit log streaming feature must be enabled to detect this activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a GitHub organization, potentially through compromised credentials or social engineering.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates their privileges to an organizational role capable of managing SSH certificate authorities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSH Certificate Authority Creation:\u003c/strong\u003e The attacker creates a new SSH certificate authority within the GitHub organization (\u003ccode\u003essh_certificate_authority.create\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable SSH Certificate Requirement:\u003c/strong\u003e Alternatively, the attacker disables the requirement for members to use SSH certificates to access organization resources (\u003ccode\u003essh_certificate_requirement.disable\u003c/code\u003e). This action allows attackers to bypass security controls that enforce SSH certificate usage.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access:\u003c/strong\u003e The attacker utilizes the newly created SSH certificate authority or the disabled requirement to access repositories without proper authorization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the GitHub organization, accessing additional repositories and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Malicious Code Injection:\u003c/strong\u003e The attacker exfiltrates sensitive data or injects malicious code into the organization\u0026rsquo;s repositories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker maintains persistent access by using the created SSH certificate authority or the disabled requirement for future unauthorized activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of SSH certificate configurations in GitHub can lead to unauthorized code commits, data breaches, and supply chain attacks. This could result in financial losses, reputational damage, and legal repercussions for the affected organization. The number of affected repositories and the severity of the impact depend on the scope of the attacker\u0026rsquo;s access and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the GitHub audit log streaming feature to capture SSH certificate configuration changes (logsource: github, service: audit, definition).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003essh_certificate_authority.create\u003c/code\u003e or \u003ccode\u003essh_certificate_requirement.disable\u003c/code\u003e events in the GitHub audit logs (rule: Github SSH Certificate Configuration Changed).\u003c/li\u003e\n\u003cli\u003eRegularly review GitHub audit logs for any unauthorized modifications to SSH certificate configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T14:00:00Z","date_published":"2024-11-02T14:00:00Z","id":"/briefs/2024-11-github-ssh-cert-config-changed/","summary":"Attackers can modify SSH certificate configurations in GitHub organizations to gain unauthorized access, persist in the environment, escalate privileges, and operate stealthily.","title":"GitHub SSH Certificate Configuration Changed","url":"https://feed.craftedsignal.io/briefs/2024-11-github-ssh-cert-config-changed/"}],"language":"en","title":"CraftedSignal Threat Feed — Certificate","version":"https://jsonfeed.org/version/1.1"}