In this attack, the attacker gains access to a self-hosted runner, which is a server or a virtual machine that runs the CI/CD pipelines for an organization.
Once access is gained, the attacker creates a scheduled task or job that runs at regular intervals, even after the initial attack has been detected and removed.
The scheduled task or job can be programmed to perform a variety of malicious activities, such as downloading and executing additional malware or maintaining a persistent backdoor for future attacks.
ID:T0148
Type:Technique
Tactic:Persistence
Summary:Scheduled tasks on self hosted runner
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1480
Mitigation
Mitigation Limit the privileges of the runner Restrict the permissions of the self-hosted runner to the minimum necessary for it to run the CI/CD pipelines.
This can help prevent an attacker from using the runner to access sensitive data or execute malicious code.
M1481
Mitigation
Mitigation Avoid using self-hosted runners for public repositories We recommend that you only use self-hosted runners with private repositories.
This is because forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow. This is not an issue with GitHub-hosted runners because each GitHub-hosted runner is always a clean isolated virtual machine, and it is destroyed at the end of the job execution.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
