{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/supply_chain/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["github.com","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["github","2fa","security_controls","supply_chain"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis detection identifies instances where two-factor authentication (2FA) requirements are disabled within GitHub Organizations. By monitoring GitHub Organizations audit logs, this analytic tracks changes to 2FA requirements, capturing details about the actor, organization, and associated metadata. Disabling 2FA weakens security controls, increasing the risk of account compromise via password-based attacks. The absence of 2FA can lead to unauthorized access to sensitive code repositories, intellectual property, and potential compromise of the software supply chain. The activity observed in this analytic aligns with actions outlined in the MITRE ATT\u0026amp;CK framework such as impair defenses (T1562.001) and supply chain compromise (T1195).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a privileged GitHub account, possibly through credential compromise or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub organization with the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization\u0026rsquo;s security settings within GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the requirement for two-factor authentication (2FA) for the organization.\u003c/li\u003e\n\u003cli\u003eGitHub audit logs record the \u0026ldquo;org.disable_two_factor_requirement\u0026rdquo; event, capturing details of the actor and organization.\u003c/li\u003e\n\u003cli\u003eWith 2FA disabled, the attacker can now access other accounts within the organization more easily without needing to bypass multi-factor authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses the compromised accounts to access sensitive code repositories or other resources within the organization.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or injects malicious code into the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling 2FA in GitHub organizations increases the risk of account takeover and unauthorized access to sensitive code and intellectual property. A successful attack could lead to the compromise of the software supply chain, impacting not only the organization itself but also its customers and users. This can result in reputational damage, financial losses, and legal liabilities. The Google Cloud Community reported on using Google Security to monitor for suspicious GitHub activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and maintain the Splunk Add-on for GitHub to ingest GitHub Organizations audit logs as detailed in the references.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Organizations Disable 2FA Requirement\u003c/code\u003e to detect instances of 2FA being disabled.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003eactor_id\u003c/code\u003e, and \u003ccode\u003eactor_ip\u003c/code\u003e fields to identify potentially compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor user agent strings (\u003ccode\u003euser_agent\u003c/code\u003e field) for suspicious or anomalous activity related to the disabling of 2FA.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies and educate users about the importance of 2FA to prevent initial account compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-github-2fa-disabled/","summary":"The disabling of two-factor authentication (2FA) in GitHub Organizations is detected through audit log monitoring, potentially indicating an attacker's attempt to weaken account security and facilitate unauthorized access.","title":"GitHub Organizations 2FA Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-github-2fa-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["github.com"],"_cs_severities":["medium"],"_cs_tags":["github","supply_chain","self_hosted_runner"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis alert identifies the creation of a self-hosted runner in GitHub Enterprise by monitoring GitHub Enterprise audit logs. Self-hosted runners execute workflow jobs on customer-controlled infrastructure. Attackers can abuse compromised runners to execute malicious code, access sensitive data, or pivot to other systems within the environment. While self-hosted runners are a legitimate feature, their creation should be carefully controlled as compromised runners pose significant security risks. It is crucial to investigate any unexpected runner creation events to ensure they are authorized and properly secured, especially if initiated by unfamiliar users or in unusual contexts. This activity may indicate a supply chain attack or other malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a GitHub Enterprise account or obtains sufficient privileges to register a self-hosted runner.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new self-hosted runner within the GitHub Enterprise organization or enterprise account. This action is logged in the GitHub Enterprise audit logs.\u003c/li\u003e\n\u003cli\u003eThe newly registered runner is configured to execute workflow jobs within the GitHub Enterprise environment.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or injects malicious code into a GitHub workflow that will be executed by the compromised runner. This may involve actions such as pull requests or direct commits to the repository.\u003c/li\u003e\n\u003cli\u003eThe compromised runner executes the malicious workflow job, allowing the attacker to execute arbitrary code on the runner infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised runner to access sensitive data stored within the GitHub environment or accessible to the runner.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots from the compromised runner to other systems within the network, potentially gaining access to additional resources and sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate data from the environment or maintain persistence on the compromised systems for future malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via a compromised self-hosted runner can lead to remote code execution, data exfiltration, and lateral movement within the targeted environment. A compromised runner allows attackers to execute arbitrary code, access sensitive data, and potentially pivot to other systems, resulting in significant damage and potential data breaches. The scope of the impact depends on the permissions and access levels of the compromised runner.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub Enterprise Audit log streaming to a SIEM like Splunk, as described in the GitHub documentation, to capture runner registration events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Enterprise Register Self Hosted Runner\u003c/code\u003e to detect unauthorized or suspicious runner creations.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003euser_agent\u003c/code\u003e field in the audit logs for unusual or unexpected values associated with runner registration events.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003eactor_id\u003c/code\u003e, and \u003ccode\u003euser_agent\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and multi-factor authentication for GitHub Enterprise accounts, especially those with permissions to manage runners.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the list of registered self-hosted runners in GitHub Enterprise to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-github-enterprise-runner/","summary":"A self-hosted runner was created in GitHub Enterprise, which could be exploited by attackers to execute malicious code, access sensitive data, or pivot to other systems.","title":"GitHub Enterprise Self-Hosted Runner Registration","url":"https://feed.craftedsignal.io/briefs/2024-01-github-enterprise-runner/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise","github.com","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["github","branch_protection","supply_chain"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of disabled classic branch protection rules within a GitHub Enterprise environment. The detection is based on monitoring GitHub Enterprise audit logs for events related to the removal of branch protections. Attackers may disable these rules to bypass code review processes and introduce malicious code or vulnerabilities directly into protected branches. This action can be part of a larger attack, where adversaries first weaken security controls before injecting malicious content. Identifying and responding to these events is crucial for maintaining the integrity and security of the software supply chain. This analytic is sourced from Splunk\u0026rsquo;s security content and is designed to run on GitHub Enterprise audit logs ingested into Splunk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub Enterprise account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the repository settings within the GitHub Enterprise instance.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the classic branch protection rules configured for a target branch.\u003c/li\u003e\n\u003cli\u003eThe attacker disables one or more of these branch protection rules, such as code review enforcement or restrictions on force pushes. This generates a \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e event in the audit logs.\u003c/li\u003e\n\u003cli\u003eThe attacker commits and pushes unauthorized or malicious code directly to the protected branch, bypassing established security controls.\u003c/li\u003e\n\u003cli\u003eThe malicious code is merged into the main branch, potentially affecting production systems or downstream consumers of the code.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to cover their tracks by deleting audit logs or manipulating other security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of disabled branch protection rules can be significant. Successful exploitation can lead to the introduction of vulnerabilities, malicious code, or backdoors into the software supply chain. This can result in data breaches, system compromise, and reputational damage. The number of affected systems and the extent of the damage depend on the scope and nature of the malicious code injected. The targets are GitHub Enterprise organizations that rely on branch protection rules to maintain code quality and security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub Enterprise Audit log streaming to a SIEM or log management solution to capture \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e events as described in the GitHub Enterprise documentation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Enterprise Disable Classic Branch Protection Rule\u003c/code\u003e to detect instances where branch protection rules are disabled and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003erepo\u003c/code\u003e, and \u003ccode\u003euser_agent\u003c/code\u003e fields to understand the context of the event.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub Enterprise accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub Enterprise configurations to ensure that branch protection rules are properly configured and enforced.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-github-branch-protection-disabled/","summary":"Detection of disabled classic branch protection rules in GitHub Enterprise, indicating potential bypass of code review and security controls, leading to unauthorized code changes and supply chain compromise.","title":"GitHub Enterprise Classic Branch Protection Rule Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-github-branch-protection-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Supply_chain","version":"https://jsonfeed.org/version/1.1"}