Full Report
On 2022-10-26, a research was reported, involving , gaining initial access via Software misconfig, while using Misconfigured GitHub Runner abuse, targeting GitHub to achieve None.
Analysis Summary
# Tool/Technique: Misconfigured GitHub Runner Abuse
## Overview
This technique involves exploiting security gaps in GitHub Actions self-hosted runners. Attackers leverage misconfigured CI/CD pipelines—specifically those that trigger on `pull_request_target` events or those with over-privileged secrets—to execute arbitrary code within the runner environment. The primary goal is often to steal secrets (API keys, cloud credentials), pivot into internal networks, or gain unauthorized access to the codebase.
## Technical Details
- **Type:** Technique / Supply Chain Attack
- **Platform:** Linux, macOS, Windows (GitHub Actions Environment)
- **Capabilities:** Execution of arbitrary shell commands, credential exfiltration, and lateral movement.
- **First Seen:** Reported in depth by security researchers around 2020-2021; specific research referenced: 2022-10-26.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- T1584.007 - Compromise Infrastructure: Serverless Infrastructure
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- **TA0008 - Lateral Movement**
- T1537 - Transfer Data to Cloud Account
## Functionality
### Core Capabilities
- **Command Injection:** Exploiting unsanitized input (like PR titles or branch names) passed directly into shell commands within a workflow.
- **Workflow Manipulation:** Submitting a malicious Pull Request that triggers a broad `pull_request_target` event, which runs with a high-privilege `GITHUB_TOKEN`.
- **Secret Exfiltration:** Accessing environment variables and GitHub Secrets via standard output or web requests.
### Advanced Features
- **Persistence via Runner Hijacking:** If using persistent self-hosted runners, attackers can install backdoors or loaders to maintain access to the underlying infrastructure.
- **Internal Network Pivoting:** Utilizing the runner's connection to internal corporate networks (common in self-hosted scenarios) to scan for local vulnerabilities.
## Indicators of Compromise
- **File Names:** `.github/workflows/*.yml` (Modified or newly created workflows in PRs).
- **Network Indicators:**
- Outbound traffic to unknown/third-party sites from runner IP addresses (e.g., `oast\[.\]me`, `webhook\[.\]site`).
- Unexpected API calls to `api.github.com`.
- **Behavioral Indicators:**
- `Workflow` runs triggered by first-time contributors containing `curl`, `wget`, or `base64` commands.
- Modification of the `.github/workflows` directory by external contributors.
- Unexpected process execution (e.g., `nmap`, `reverse shell` strings) within the runner container.
## Associated Threat Actors
- **General Cybercriminals:** Frequently used for crypto-mining (Action Hijacking).
- **Red Teams/Security Researchers:** (e.g., Cycode, Praetorian, and various independent bug bounty hunters).
- **Advanced Persistent Threats (APTs):** Increasingly targeting CI/CD pipelines for supply chain compromises (e.g., similar to SolarWinds/Codecov style movements).
## Detection Methods
- **Behavioral Detection:** Monitor CI/CD logs for anomalous commands in the "Run" steps of a workflow.
- **Log Analysis:** Audit GitHub Actions logs for `secret` redaction bypass attempts (e.g., piping secrets to `sed` or `base64`).
- **Policy Monitoring:** Use tools to detect when `pull_request_target` is used in conjunction with an explicit `checkout` of an untrusted PR head.
## Mitigation Strategies
- **Hardening recommendations:**
- Avoid using `pull_request_target` for workflows that require an explicit code checkout from the PR.
- Require approval for all outside collaborators before running workflows.
- Follow the principle of least privilege for `GITHUB_TOKEN` (set to `contents: read` by default).
- Use ephemeral (non-persistent) runners/containers to ensure a clean state for every job.
- **Prevention measures:** Implement "Open Policy Agent" (OPA) or similar tools to scan workflow files for security misconfigurations before they are committed.
## Related Tools/Techniques
- **GitHub-Self-Hosted-Runner-Security:** General category of exploits targeting local runner agents.
- **Poisoned Pipeline Execution (PPE):** The broader category of CI/CD exploitation.
- **Living off the Pipeline:** Using built-in CI/CD tools to perform malicious actions.