Wednesday 

Room 2 

13:40 - 14:40 

(UTC+01

Talk (60 min)

GitHub Actions: Vulnerabilities, Attacks, and Counter-measures

More organizations are applying a DevOps methodology to optimize software development. One of the main tools used in this process is a continuous integration (CI) tool that automates code changes from multiple developers working on the same project.

In 2019, GitHub released its own CI tool called GitHub Actions. According to GitHub, GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers.

This talk plans to demonstrate how GitHub Actions work and show security measures to protect your Actions from misuse by attackers. First, we'll do a deep dive into the Runners, the servers provided by GitHub to run your Actions, and the risks of using them. Then, we'll show how attackers can leverage these runners to mine cryptocurrencies, pivot into other targets, and more. Lastly, we'll demonstrate how to maliciously distribute backdoors into different repositories via the GitHub Actions Marketplace.

This presentation results from detailed research published earlier this year on the topic where the author investigated abuse case scenarios such as how attackers were leveraging this free service to mine cryptocurrencies on their behalf and behalf of other users, among other attack vectors. We'll also demonstrate how to perform interactive commands to the Runner servers via reverse shell, which are technically not allowed via traditional means. In the end, we'll show the problem of third-party dependencies via the GitHub Actions Marketplace. By demonstrating how easy it is to create a fake GitHub Action that, if used unwillingly by other projects, can make their runners act as bots to target other victims and even be used in supply-chain attacks by tampering with the result of the pipeline.

Full research article:
https://research.trendmicro.com/GitHubActions

Research repositories:
https://github.com/magnologan/gha-test
https://github.com/magnologan/fake-gha

Magno Logan

Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container and Application Security Research, Threat Modelling and Red Teaming. He has been tapped as a resource speaker for numerous security conferences around the globe. He is also a member of the CNCF SIG-Security team.