<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ethereum Name Service - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/ethereum-name-service/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/ethereum-name-service/feed.xml" rel="self" type="application/rss+xml"/><item><title>Script Interpreter Spawning Credential Scanner</title><link>https://feed.craftedsignal.io/briefs/2024-01-script-interpreter-credential-scan/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-script-interpreter-credential-scan/</guid><description>A script interpreter such as node.exe or bun.exe spawning a credential scanning tool like trufflehog or gitleaks indicates potential credential compromise, as seen in the Shai-Hulud campaign.</description><content:encoded><![CDATA[<p>Attackers are increasingly leveraging script interpreters like Node.js and Bun to execute credential scanning tools within compromised environments. This tactic allows them to search for exposed secrets, API keys, and other sensitive information stored in configuration files, source code, or other accessible locations. The &quot;Shai-Hulud: The Second Coming&quot; campaign exemplifies this trend, where compromised npm packages were used to execute malicious code, ultimately leading to credential theft. The use of credential scanners like TruffleHog and GitLeaks automates the process of identifying these secrets, making it easier for attackers to escalate their access and compromise sensitive data. Defenders should be alert to script interpreters spawning credential scanning tools to mitigate the risk of credential theft.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A user downloads and installs a malicious or compromised package containing malicious JavaScript code.</li>
<li>The malicious package is executed via a script interpreter such as <code>node.exe</code> or <code>bun.exe</code>.</li>
<li>The script interpreter process spawns a credential scanning tool, such as <code>trufflehog.exe</code> or <code>gitleaks.exe</code>.</li>
<li>The credential scanner searches local directories, file systems, and potentially network shares for exposed secrets.</li>
<li>Any identified credentials are then exfiltrated by the attacker.</li>
<li>The attacker uses the stolen credentials to gain unauthorized access to systems, applications, or data.</li>
<li>The attacker may further escalate privileges and compromise other parts of the environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, financial losses, reputational damage, and disruption of services. The &quot;Shai-Hulud&quot; campaign targeted GitHub and cloud credentials, potentially impacting numerous organizations that rely on these services. The number of affected organizations is difficult to quantify but given the widespread use of npm packages, the potential impact is significant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Script Interpreter Spawning Credential Scanner</code> to your SIEM to detect suspicious process creation events involving script interpreters and credential scanning tools.</li>
<li>Monitor process creation logs for script interpreters spawning child processes associated with credential scanning tools.</li>
<li>Implement strict input validation and sanitization practices to prevent the injection of malicious code into script interpreters.</li>
<li>Regularly scan your codebase and infrastructure for exposed secrets using dedicated secret scanning tools.</li>
<li>Enforce the principle of least privilege to limit the potential impact of compromised credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>malware</category><category>windows</category></item></channel></rss>