Github Actions supply chain attack. Wiz acquired for $32B. Taking a short break.  

News

Hi folks.

I hope the week's email finds you well! :-) There's some valuable lessons on Github Actions, and an eye-watering $32B acquisition by Google. I hope you enjoy the read!

I'll be pausing the newsletter for about two months. There's a big maintenance window coming up at the powerplant where I work, which requires all hands on deck, and after that we're moving house. When all that is done, I'll be back :-) Cheers!

Dieter Van der Stock

Github Actions supply chain attack

A re-usable Github action building block, 'tj-actions/changed-files', which is used by 23,000 repositories, was hijacked. The attackers injected code that dumped CI secrets as a readable file in the affected Github repository. The impact is somewhat limited though, with "only" 218 repositories actually ending up exposing secrets.

If you use Github actions yourself it's a very worthwhile read to extract some lessons from. Like for example not pinning your actions to certain versions, because those can still be changed. Instead it is recommended to pin them to specific commit hashes.

Three articles that explain it well, in chronological order:

  • Supply chain attack on popular GitHub Action exposes CI/CD secrets: link.
  • GitHub Action hack likely led to another in cascading supply chain attack: link.
  • GitHub Action supply chain attack exposed secrets in 218 repos: link.

Google acquires Wiz for $32 billion

That's a lot of money. Wiz rejected a previous $23B bid less than a year ago, and its last funding round valued it at $12B. That's a nice return on investment. Google plans to integrate Wiz's services into a number of Google services, but promises that Wiz itself will remain a multi-platform solution, not just focusing on Google Cloud.

cyberscoop.com

Microsoft apologizes for removing VSCode extensions used by millions

Microsoft has reinstated the Material Theme extensions on the Visual Studio Marketplace after finding that the obfuscated code they contained wasn't actually malicious. That's a relief.

Although, before you get too comfortable with VSCode extensions, there were also some new extensions found to be actually malicious, downloading early stages of ransomware: link.

bleepingcomputer.com

Critical AMI MegaRAC bug can let attackers hijack, brick servers

From the article: "MegaRAC BMC (Baseboard Management Controller) provides "lights-out" and "out-of-band" remote system management capabilities that help admins troubleshoot servers as if they were physically in front of the devices. The firmware is used by over a dozen server vendors that provide equipment to many cloud service and data center providers, including HPE, Asus, ASRock, and others."

The vulnerability allows remote attackers to access the management interface and do all kinds of bad stuff with them. Worth checking up on if you use these BMC's.

bleepingcomputer.com

Quick links

  • New Windows zero-day exploited by 11 state hacking groups since 2017: link.
  • Sperm donation giant California Cryobank warns of a data breach: link.
  • Veeam RCE bug lets domain users hack backup servers, patch now: link.
  • Critical RCE flaw in Apache Tomcat actively exploited in attacks: link.
  • GitLab patches critical authentication bypass vulnerabilities: link.

1Password for developers: secrets, SSH keys, and more

I don't think most developers realise how valuable 1Password can be. It doesn't just hold passwords, it also hold your SSH keys, signs your Git commits, injects token and other secrets in CLI scripts when you want, and much more. (Sponsored)

1password.com

No spam, ever. We'll never share your email address and you can opt out at any time.