Yakir Kadkoda

We uncovered a security issue in the AWS Cloud Development Kit (CDK) that allows attackers to exploit missing S3 buckets for account takeovers. This finding underscores the importance of avoiding predictable bucket names and protecting your AWS account ID.

https://thehackernews.com/2024/10/aws-cloud-development-kit-vulnerability.html

We uncovered six severe vulnerabilities in AWS services that exploited predictable S3 bucket names. These vulnerabilities allowed attackers to intercept and manipulate service resources, potentially leading to full account takeovers (depending on the service role's permissions):
1. CloudFormation: Allowed attackers to execute remote code and manipulate data, potentially leading to a full account takeover.
2. Glue: Enabled remote code execution and data exfiltration by injecting malicious… Show more

We uncovered six severe vulnerabilities in AWS services that exploited predictable S3 bucket names. These vulnerabilities allowed attackers to intercept and manipulate service resources, potentially leading to full account takeovers (depending on the service role's permissions):
1. CloudFormation: Allowed attackers to execute remote code and manipulate data, potentially leading to a full account takeover.
2. Glue: Enabled remote code execution and data exfiltration by injecting malicious code into ETL jobs.
3. EMR: Made it possible for attackers to inject malicious code into Jupyter notebooks, leading to RCE/XSS .
4. SageMaker: data leakage and manipulation, which could alter machine learning model outputs and expose sensitive information.
5. ServiceCatalog: Allowed attackers to inject resources into CloudFormation templates, deploying malicious components or unauthorized admin roles.
6. CodeStar: Facilitated denial of service (DoS) attacks by blocking legitimate service use.

In four out of these six vulnerabilities, attackers needed only the victim's account ID to execute the exploit. This highlights the importance of treating AWS account IDs as confidential information.

Our blog,details these vulnerabilities, describing the "Shadow Resource" attack vector and the "Bucket Monopoly" technique. AWS has fixed these vulnerabilities, but similar attack vectors may still exist in open-source projects and other scenarios. Show less

In this research, we have identified new findings and categorized secrets into three distinct categories, shedding light on how secrets can remain hidden within codebases due to blind spots in secret scanning tools, design choices of Git and SCM platforms, and sometimes even edge cases:
- Secrets accessible via git clone.
- Secrets accessible only via git clone --mirror.
- Secrets accessible only through the Cached View of SCM.

We have extended past research in the field… Show more

In this research, we have identified new findings and categorized secrets into three distinct categories, shedding light on how secrets can remain hidden within codebases due to blind spots in secret scanning tools, design choices of Git and SCM platforms, and sometimes even edge cases:
- Secrets accessible via git clone.
- Secrets accessible only via git clone --mirror.
- Secrets accessible only through the Cached View of SCM.

We have extended past research in the field, enriching it with additional findings and more context, while also overcoming limitations identified in previous studies.
Utilizing the strategies outlined in our blog, we uncovered:
- Internal infrastructure tokens of Mozilla's fuzzing infrastructure, revealing numerous potential security vulnerabilities within the Firefox and Tor projects.
- Meraki API tokens used by some Fortune 500 companies, which grant access to network devices, SNMP secrets, camera footage, and more.
- Access to Mozilla's telemetry dashboard that contains aggregates data from Firefox users.
- Azure Service tokens from a major healthcare company, granting us access to their Azure Kubernetes Service (AKS), Azure Container Registry (ACR), and more.

After scanning the top 100 organizations on GitHub, which collectively contain more than 50,000 repositories, we found that if organizations only use conventional approaches to scan their repositories, they will miss about 18 percent of the potential exposed secrets in their codebase.

https://thehackernews.com/2024/07/critical-vulnerabilities-disclosed-in.html Show less

In this blog, it was discovered that a significant number of corporate secrets are being exposed via employees' personal GitHub repositories rather than official company accounts, which should be considered Shadow IT. Nearly 75% of these exposed secrets were located in personal repositories, leading to serious security incidents. Notably, an employee's personal GitHub repository compromised Azure's Internal Container Registry, posing significant risks to Microsoft and its Azure users. The study… Show more

In this blog, it was discovered that a significant number of corporate secrets are being exposed via employees' personal GitHub repositories rather than official company accounts, which should be considered Shadow IT. Nearly 75% of these exposed secrets were located in personal repositories, leading to serious security incidents. Notably, an employee's personal GitHub repository compromised Azure's Internal Container Registry, posing significant risks to Microsoft and its Azure users. The study underscores the importance of companies encouraging employees to scan their personal repositories for sensitive information.

https://hackread.com/shadow-it-github-repos-employee-cloud-secrets/ Show less

We scanned the top 50,000 npm packages for vulnerabilities using Semgrep and observed a concerning trend: when vulnerabilities were reported, developers archived their repositories instead of fixing the issues, and did not mark the package as deprecated on npm. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package.

While officially only 8.2% of popular npm packages are deprecated, our study suggests the… Show more

We scanned the top 50,000 npm packages for vulnerabilities using Semgrep and observed a concerning trend: when vulnerabilities were reported, developers archived their repositories instead of fixing the issues, and did not mark the package as deprecated on npm. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package.

While officially only 8.2% of popular npm packages are deprecated, our study suggests the real number is closer to 21.2%. This highlights a potential risk for users, as some packages are deprecated without properly addressing security vulnerabilities.

We have also released an open-source tool that can scan your package.json file.

https://www.scmagazine.com/news/npm-registry-users-download-2-1b-deprecated-packages-weekly-researchers-say
https://www.csoonline.com/article/1294978/deprecated-npm-packages-that-appear-active-present-open-source-risk.html Show less

Exposed Kubernetes secrets pose a critical threat of supply chain attack. We found that the exposed Kubernetes secrets of hundreds of organizations and open-source projects allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat. Among the companies were SAP’s Artifacts management system with over 95 million, two top blockchain companies, and various other fortune-500 companies. These encoded Kubernetes configuration… Show more

Exposed Kubernetes secrets pose a critical threat of supply chain attack. We found that the exposed Kubernetes secrets of hundreds of organizations and open-source projects allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat. Among the companies were SAP’s Artifacts management system with over 95 million, two top blockchain companies, and various other fortune-500 companies. These encoded Kubernetes configuration secrets were uploaded to public repositories. In this blog we explore the inherent risks of mismanaged Kubernetes Secrets, the inefficacy of common secret scanners in detecting such vulnerabilities, the reality in the wild and the possible impact of this exposure.

https://thehackernews.com/2023/11/kubernetes-secrets-of-fortune-500.html
https://www.scmagazine.com/brief/exposed-kubernetes-secrets-pose-significant-supply-chain-threat Show less

We evaluated the vulnerability disclosure process for tens of thousands of open-source projects and found flaws in the process. These flaws allowed harvesting the vulnerabilities before they were patched and announced. This could enable attackers to exploit security holes before the project's users are alerted.
By conducting an extensive analysis of commits, pull requests, issues on GitHub, and extracting insights from the National Vulnerabilities Database (NVD) dataset this research… Show more

We evaluated the vulnerability disclosure process for tens of thousands of open-source projects and found flaws in the process. These flaws allowed harvesting the vulnerabilities before they were patched and announced. This could enable attackers to exploit security holes before the project's users are alerted.
By conducting an extensive analysis of commits, pull requests, issues on GitHub, and extracting insights from the National Vulnerabilities Database (NVD) dataset this research yielded many findings. In this blog we shed light on our work, the process, research methods, highlight the stages of vulnerability discovery, and the gravity of early exposure of vulnerabilities in open-source projects.

https://www.helpnetsecurity.com/2023/11/09/open-source-vulnerability-disclosure-process-flaws/
https://www.scmagazine.com/podcast-segment/12189-ssh-under-attack-iot-routers-ble-spam-patching-a-house-of-cards-psw-807 Show less

We have exposed significant flaws that are still active in the PowerShell Gallery's policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. Consequently, these flaws pave the way for potential supply chain attacks on the registry's vast user base.

PowerShell Gallery modules are commonly used as part of the cloud deployment process, especially… Show more

We have exposed significant flaws that are still active in the PowerShell Gallery's policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. Consequently, these flaws pave the way for potential supply chain attacks on the registry's vast user base.

PowerShell Gallery modules are commonly used as part of the cloud deployment process, especially popular around AWS and Azure, to interact with and manage cloud resources. Therefore, the installation of a malicious module could be fatal to organizations.

Moreover, attackers can exploit another flaw, allowing them to discover unlisted packages and uncover deleted secrets within the registry, which users attempt to hide by unlisting their packages.

These findings have enabled us to create a proof of concept (POC) and mimic popular Microsoft PowerShell modules, which have been downloaded millions of times. These forge modules have been downloaded by various organizations across a range of cloud services.

Despite reporting the flaws to the Microsoft Security Response Center on two separate occasions, with confirmation of the reported behavior and claims of ongoing fixes, as of August 2023, the issues remain reproducible, indicating that no tangible changes have been implemented.

https://thehackernews.com/2023/08/experts-uncover-weaknesses-in.html

https://www.theregister.com/2023/08/16/microsoft_powershell_gallery_flaws/

https://www.scmagazine.com/news/flaws-in-microsofts-powershell-gallery-may-cause-supply-chain-attacks Show less

Millions of GitHub repositories are potentially vulnerable to RepoJacking. In this research sheds light on the extent of RepoJacking, which if exploited may lead to code execution on organizations’ internal environments or on their customers’ environments.
As part of our research, we found an enormous source of data that allowed us to sample a dataset and find some highly popular… Show more

Millions of GitHub repositories are potentially vulnerable to RepoJacking. In this research sheds light on the extent of RepoJacking, which if exploited may lead to code execution on organizations’ internal environments or on their customers’ environments.
As part of our research, we found an enormous source of data that allowed us to sample a dataset and find some highly popular targets.

https://thehackernews.com/2023/06/alert-million-of-github-repositories.html
https://www.bleepingcomputer.com/news/security/millions-of-github-repos-likely-vulnerable-to-repojacking-researchers-say/
https://www.darkreading.com/application-security/millions-of-repos-on-github-are-potentially-vulnerable-to-hijacking Show less

We have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server.
Furthermore, these vulnerabilities could be exploited even if the Jenkins server is not directly reachable by attackers and could also impact… Show more

We have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server.
Furthermore, these vulnerabilities could be exploited even if the Jenkins server is not directly reachable by attackers and could also impact self-hosted Jenkins servers.

https://thehackernews.com/2023/03/jenkins-security-alert-new-security.html Show less

Aqua Nautilus researchers have recently discovered that attackers can easily impersonate popular Visual Studio Code extensions and trick unknowing developers into downloading them. In original vulnerability research, we’ve uncovered a new attack method which could act as an entry point for an attack on many organizations. We’ve also discovered that some extensions may have already been taking advantage to exploit this attack vector. In this blog, we will further explore our findings, including… Show more

Aqua Nautilus researchers have recently discovered that attackers can easily impersonate popular Visual Studio Code extensions and trick unknowing developers into downloading them. In original vulnerability research, we’ve uncovered a new attack method which could act as an entry point for an attack on many organizations. We’ve also discovered that some extensions may have already been taking advantage to exploit this attack vector. In this blog, we will further explore our findings, including a POC we uploaded to the Marketplace, and break down how we conducted this research.

https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html Show less

npm API allows threat actors to execute a timing attack that can detect whether private packages exist on the package manager. By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading… Show more

npm API allows threat actors to execute a timing attack that can detect whether private packages exist on the package manager. By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them.

https://thehackernews.com/2022/10/new-timing-attack-against-npm-registry.html

https://www.bleepingcomputer.com/news/security/new-npm-timing-attack-could-lead-to-supply-chain-attacks/

https://www.darkreading.com/application-security/novel-npm-timing-attack-allows-corporate-targeting Show less

Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows are vulnerable to dynamic link library (DLL) hijacking if OpenSSL is installed on the host

https://portswigger.net/daily-swig/node-js-fixes-multiple-bugs-that-could-lead-to-rce-http-request-smuggling

We found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access clear-text logs.
More than 770 million logs of users are accessible, from which attackers can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub. Attackers can use this sensitive data to launch massive cyberattacks and to move laterally in the cloud… Show more

We found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access clear-text logs.
More than 770 million logs of users are accessible, from which attackers can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub. Attackers can use this sensitive data to launch massive cyberattacks and to move laterally in the cloud.

https://arstechnica.com/information-technology/2022/06/credentials-for-thousands-of-open-source-projects-free-for-the-taking-again/

https://www.darkreading.com/threat-intelligence/exposed-travis-ci-api-leaves-all-free-tier-users-open-to-attack

https://thehackernews.com/2022/06/unpatched-travis-ci-api-bug-exposes.html

https://www.theregister.com/2022/06/14/travis_ci_exposes_free_tier/ Show less

CIS partnered with Aqua Security to develop the Software Supply Chain Guide, which is intended for DevOps and application security administrators, security specialists, auditors, help desks, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions to build and deploy software updates through automated means of DevOps pipelines.

This Guide was created using a consensus review process comprised of a global community of subject matter experts. The process… Show more

CIS partnered with Aqua Security to develop the Software Supply Chain Guide, which is intended for DevOps and application security administrators, security specialists, auditors, help desks, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions to build and deploy software updates through automated means of DevOps pipelines.

This Guide was created using a consensus review process comprised of a global community of subject matter experts. The process combines real-world experience with data-based information to create technology-specific guidance to assist users to secure their environments. Consensus participants provide perspectives from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Show less

A "logical flaw" has been disclosed in the npm package manager that allowed attackers to pass off malicious libraries as legitimate by adding notable developers as contributors without their knowledge, tricking unsuspecting devs into installing… Show more

A "logical flaw" has been disclosed in the npm package manager that allowed attackers to pass off malicious libraries as legitimate by adding notable developers as contributors without their knowledge, tricking unsuspecting devs into installing them.

https://thehackernews.com/2022/04/npm-bug-allowed-attackers-to-distribute.html

https://portswigger.net/daily-swig/poisoned-packages-npm-developer-reputations-could-be-leveraged-to-legitimize-malicious-software

https://www.bleepingcomputer.com/news/security/npm-flaw-let-attackers-add-anyone-as-maintainer-to-malicious-packages/ Show less

For the past few years, cybercriminals have been hijacking popular npm packages by taking over maintainers’ accounts. As part of our research at Team Nautilus, we discovered two flaws in the npm platform related to two-factor authentication (2FA). An attacker can use these flaws to target npm packages for account takeover attacks. We reported these findings to the npm team (GitHub), which quickly fixed the underlying security gaps.

However, our analysis shows that 32% of the top 35 npm… Show more

For the past few years, cybercriminals have been hijacking popular npm packages by taking over maintainers’ accounts. As part of our research at Team Nautilus, we discovered two flaws in the npm platform related to two-factor authentication (2FA). An attacker can use these flaws to target npm packages for account takeover attacks. We reported these findings to the npm team (GitHub), which quickly fixed the underlying security gaps.

However, our analysis shows that 32% of the top 35 npm packages are still at risk of account takeover. This can allow attackers to poison the root package or other npm packages that depend on those popular packages and, as a result, affect millions of npm users.

https://www.helpnetsecurity.com/2022/04/14/new-npm-flaws-video/ Show less