{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/digitalocean/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gcloud","azd","gh","aws","kubectl","doctl","oci"],"_cs_severities":["high"],"_cs_tags":["credential-access","cloud","cli","token-harvesting"],"_cs_type":"advisory","_cs_vendors":["Elastic","Google","Microsoft","GitHub","DigitalOcean","Oracle"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting command-line credential harvesting across multiple cloud platforms. Attackers may attempt to steal application access tokens or extract credentials from files by executing specific commands via command-line interfaces (CLIs) for GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, and Kubernetes. This activity is particularly concerning when originating from the same host within a short time frame (e.g., five minutes), potentially indicating automated credential theft. This technique can lead to unauthorized access to cloud resources, data breaches, and lateral movement within cloud environments. Defenders should monitor for suspicious command-line activity involving cloud CLIs and credential access patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a shell (cmd.exe, PowerShell, bash, etc.) to execute cloud CLI commands.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to list available credentials or tokens (e.g., \u003ccode\u003eaws configure list\u003c/code\u003e, \u003ccode\u003eaz account list\u003c/code\u003e, \u003ccode\u003ekubectl config view\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to print access tokens for various cloud providers (e.g., \u003ccode\u003egcloud auth print-access-token\u003c/code\u003e, \u003ccode\u003eaz account get-access-token\u003c/code\u003e, \u003ccode\u003egh auth token\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential harvesting commands across multiple cloud platforms within a short timeframe.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the harvested credentials to a remote location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access sensitive cloud resources and data.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive cloud resources, data breaches, and lateral movement within cloud environments. The impact includes potential data exfiltration, service disruption, and financial loss. The number of affected victims will depend on the scope of the compromised credentials and the attacker\u0026rsquo;s ability to exploit them.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Multi-Cloud CLI Token and Credential Access Commands\u0026rdquo; to your SIEM to detect suspicious command-line activity related to cloud credential harvesting.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eEsql.process_command_line_values\u003c/code\u003e in the rule output to identify the exact commands executed and determine if the activity was legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eCorrelate the detected activity with authentication, Kubernetes audit, and cloud API logs to confirm unauthorized access and misuse of printed tokens.\u003c/li\u003e\n\u003cli\u003eImplement monitoring and alerting for unusual CLI activity originating from user workstations or build servers, focusing on the CLIs mentioned in the Overview section.\u003c/li\u003e\n\u003cli\u003eFollow vendor-specific guidance to revoke compromised credentials, such as revoking tokens and rotating secrets, as outlined in the rule\u0026rsquo;s \u0026ldquo;Response and remediation\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-multi-cloud-cli-token-harvesting/","summary":"This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.","title":"Multi-Cloud CLI Token and Credential Access via Command-Line Harvesting","url":"https://feed.craftedsignal.io/briefs/2024-01-multi-cloud-cli-token-harvesting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["mckenziearts/livewire-markdown-editor (\u003c 1.3)","DigitalOcean Spaces","Cloudflare R2","Scaleway Object Storage"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-upload","stored-xss","vulnerability"],"_cs_type":"advisory","_cs_vendors":["DigitalOcean","Cloudflare","Scaleway"],"content_html":"\u003cp\u003eVersions of \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e prior to v1.3 are vulnerable to arbitrary file upload via the \u003ccode\u003eMarkdownEditor::updatedAttachments()\u003c/code\u003e Livewire handler. This handler lacks server-side validation for file types, extensions, and content. An authenticated user with access to a page embedding the markdown editor can upload malicious files (e.g., \u003ccode\u003e.html\u003c/code\u003e, \u003ccode\u003e.svg\u003c/code\u003e, \u003ccode\u003e.js\u003c/code\u003e) to the disk configured by \u003ccode\u003elivewire-markdown-editor.disk\u003c/code\u003e. If this disk is a public cloud storage bucket (S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage), the uploaded files are publicly accessible with a guessed \u003ccode\u003eContent-Type\u003c/code\u003e header. This vulnerability allows attackers to perform stored XSS, host phishing pages, distribute malware, and inject malicious markdown. A real-world exploitation was observed in production.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an application using a vulnerable version of \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page embedding the \u003ccode\u003e\u0026lt;livewire:markdown-editor\u0026gt;\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the file upload functionality of the editor to upload a malicious file, such as a \u003ccode\u003e.html\u003c/code\u003e or \u003ccode\u003e.svg\u003c/code\u003e file containing XSS payloads.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMarkdownEditor::updatedAttachments()\u003c/code\u003e Livewire handler processes the uploaded file without proper validation.\u003c/li\u003e\n\u003cli\u003eThe handler stores the file on the disk configured by \u003ccode\u003elivewire-markdown-editor.disk\u003c/code\u003e (e.g., a public cloud bucket like S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage).\u003c/li\u003e\n\u003cli\u003eThe uploaded file becomes publicly accessible on the storage domain.\u003c/li\u003e\n\u003cli\u003eA user visits the URL of the uploaded malicious file, triggering the XSS payload or accessing the phishing page.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing user credentials, redirecting users to malicious websites, or compromising the application\u0026rsquo;s integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical impacts. Stored XSS on the storage domain can allow attackers to steal user credentials or perform other malicious actions in the context of the application. Phishing pages hosted on the application\u0026rsquo;s storage domain can trick users into revealing sensitive information. Malware distribution from a domain users trust can lead to widespread infections. Additionally, markdown injection via crafted filenames can compromise the integrity of the editor\u0026rsquo;s output. A real-world exploitation of this vulnerability was observed in production on a community platform using this package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e v1.3 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrading is not feasible, disable the upload UI on every instance of the editor by passing \u003ccode\u003e:show-upload=\u0026quot;false\u0026quot;\u003c/code\u003e. This prevents the vulnerable code path from being reached.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for requests to the storage domain for unusual file extensions like \u003ccode\u003e.html\u003c/code\u003e, \u003ccode\u003e.svg\u003c/code\u003e, \u003ccode\u003e.js\u003c/code\u003e, \u003ccode\u003e.php\u003c/code\u003e, or \u003ccode\u003e.exe\u003c/code\u003e, which could indicate attempted exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the file upload detection rule to identify potentially malicious file uploads to the storage domain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-livewire-markdown-editor-upload/","summary":"The livewire-markdown-editor versions before v1.3 contain an arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments() Livewire handler, allowing authenticated users to upload any file type, potentially leading to stored XSS, phishing, malware distribution, and markdown injection.","title":"livewire-markdown-editor Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-livewire-markdown-editor-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — DigitalOcean","version":"https://jsonfeed.org/version/1.1"}