Application security, Black Hat, DevSecOps

IBM reveals ways to use native source-code management functionality in attacks

Source-code management tools like GitHub can provide a way to install code en masse on every system that code reaches. (" GitHub Office " by  DASPRiD  is marked with  CC BY 2.0 .)

IBM’s pen testing group X-Force Red released a new source-code management (SCM) attack simulation toolkit Tuesday, with new research revealing ways to use native SCM functionality in attacks. 

Brett Hawkins of X-Force Red will present the research at Black Hat later in the week. 

Source-code management tools like GitHub are more than just a home to intellectual property. They are a way to install code en masse on every system that code reaches. Two of the most devastating attacks in history - NotPetya and Solarwinds - came out of malicious code inserted into updates, then uploaded to clients. Sloppy SCM users sometimes leave API keys and passwords exposed in code, giving SCM dorks access to other systems; from there, SCM may be connected to other DevOps servers and become a pivot point. 

Click here for more coverage from the Black Hat Conference in Las Vegas.

“There's not really any research out there on attacking and defending these systems,” Hawkins told SC Media. 

At present, most attacks on SCM are by bad actors searching for interesting exposed files, repositories and content. But Hawkins developed more sophisticated attacks leading to privilege escalation, stealth and persistence to use in pen tests. 

That might mean using administrator access to create or duplicate tokens used to access the SCM. Alternatively, on GitHub, that might mean clicking a single button to impersonate users. 

Hawkins jammed his research and reconnaissance tools into SCMKit, the toolkit released Tuesday.  

“There's nothing out there that exists like SCM-Kit right now. It allows you to do a bunch of different attack scenarios including reconnaissance, privilege escalation, and persistence against GitHub Enterprise, GitLab enterprise and Bitbucket,” said Hawkins. “I’m hoping to get some good feedback from the infosec community.”

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.