Search This Blog

Showing posts with label 000. Show all posts

GitHub Awards $25,000 Bug Bounty to the Google Employee


GitHub awarded $25,000 to the security researcher, Teddy Katz for discovering a bug and patching it. On March 17, bug bounty hunter and Google employee Teddy Katz published a note regarding a GitHub flaw discovered in the communication system between repositories and the organization’s workflow automation software, GitHub actions.

The security flaw was tracked as CVE-2022-22862 and was reported as an improper access control susceptibility that “allowed an authenticated user with the ability to fork a repository to disclose Action secrets for the parent repository of the fork.”

Katz identified the working method of GitHub and how it manages to pull requests. Every single pull request is meant to have a base branch, and this is often the main branch of a repository. Pull request designers can lay the base branch pointer. However, the bug bounty hunter recognized that it was possible to set branches to commits, and while this ended in errors due to merge conflicts, GitHub Actions converted the bug into something more dangerous. 

GitHub executes merge pull request stimulations to stop pull request creators from accessing repository secrets. According to Katz, this “breaks the GitHub actions permission model” and evades Actions secrets restrictions.

“Since the base branch is part of the base repository itself and not part of a fork, workflows triggered by pull_request_target are trusted and run with access to secrets. We just created a pull request where the base branch is a commit hash, not a branch. And anyone can create a new commit hash in the base repository since GitHub shares commits between forks,” Katz explained. 

An attacker could split public repositories that use GitHub Actions, design a pull request, and then set a malicious Actions workflow and separately commit to a fork – gaining access to repository secrets in the process.

“It would be difficult to conceal the malware for long – the malicious package would almost certainly be unpublished in a matter of hours or days depending on how fast the maintainers/npm security team were able to respond. Once it was exploited like this, the underlying GitHub vulnerability would probably have been noticed and fixed as well,” Katz stated.

Private Information of 50,000 French Healthcare Workers Stolen


French authorities unearthed a glut of stolen credentials on the dark web, apparently belonging to the healthcare workers. The authorities have alerted the healthcare department and advised them to remain vigilant. In recent weeks, threat actors have attacked several French hospitals – including hospitals in Dax and Villefranche-sur-Saone.

The French Ministry of Social Affairs and Health issued an alert this week stating, France Computer Emergency Response Team notified our department regarding the sale of a list of 50,000 user accounts on a cybercriminal platform which includes login/password credentials apparently belonging to French healthcare workers. 

The alert notes that “it is difficult to accurately describe the origin of this leak, but the impact that the use of login/agent password couples can have on the security of institutions’ information systems is more easily valuable. That includes attempts to connect to remote means of access, such as Outlook web access and VPN. Once the connection is successful, attackers can use all the resources allocated to the compromised account to break into the information system.”

The French health ministry also admitted that several healthcare facilities in the nation have been attacked by malware involving Emotet, TrickBot, and Ryuk and while explaining the same, it said that “particular attention should be paid to this because these three malwares are used in complex chains of attacks that have a strong impact on the activity of victims. Scan campaigns from the infrastructure of the TA505 (Clop ransomware activity cluster) and UNC1878 (Ryuk ransomware activity cluster) targeting health facilities were also reported.”

Mutuelle Nationale des Hospitaliers (MNH), the latest victim of a ransomware attack stated, “we spotted an intrusion into our data system on February 5 and our cybersecurity team quickly determined the potency of the cyber-attack. The computer systems were taken offline to negate the spread of the virus and to shield the personal information of our members, staff, and our partners.”

Threat actors are using the same tactics of attacking the healthcare department in France and other nations as well. For instance, last week in South Korea threat actors attempted to steal Covid-19 vaccine and treatment data from pharmaceutical maker Pfizer.

Bitcoin Slips 17% to $45,000 as Caution Sweeps Over Crypto


Bitcoin, the world’s largest cryptocurrency slumped as much as 17 percent to $45,000 on Tuesday, sparking concerns from investors over the cryptocurrency’s sky-high valuations and its volatility in an unpredictable market. The cryptocurrency traded 13% lower, at $47,608.24, as of 11:45 p.m. in New York.

The value of the cryptocurrency has soared in 2021, with the price more than doubling this year to reach a record $58,350.41. Elon Musk, CEO of Tesla invested $1.5 billion in cryptocurrency this month and helped bitcoin to reach its market value above $50,000 but this investment may now lead to pressure on Tesla’s stock price as it has become sensitive to movements in bitcoin.

Craig Erlam, senior market analyst at OANDA stated that “the kind of rallies we’ve been seeing aren’t sustainable and just invite pullbacks like this.” Ether, the world’s second-largest cryptocurrency by market capitalization also slumped more than 17% and last bought $1,461, down almost 30% from last week’s record high.

As per the reports of CoinDesk, last week bitcoin hit $1 trillion in market value for the first time in the history - though it has now slumped below $900 billion. It’s marked value surged up from the news of Wall Street bank and the investment of large firms like Mastercard and Tesla. According to an online tool from the researchers at Cambridge University, bitcoin’s network consumes more electricity than Pakistan and it has a negative impact on the environment as well.

Meanwhile, Sumit Gupta, Co-Founder & CEO of CoinDCX said that “after reaching an all-time high of $58,000, Bitcoin saw a price correction today. This was expected as markets go through such correction cycles. However, the market showed signs of recovery after falling nearly 17%. Investments in Bitcoin, like any other asset, should be from a long-term perspective as the fundamentals are still going strong. Hence it is advised that investors buy the dips and hold with a long-term perspective.”