CTI Roundup: 12 Million Secrets and Keys Leak on GitHub

In this week’s roundup, CTI looks at a recent BianLian ransomware attack that exploited known vulnerabilities in JetBrains TeamCity software. Next, CTI explores how ransomware attacks are continuing to occur at a rapid pace despite a slight decrease in attacks in the fourth quarter of 2023.

Finally, CTI provides key findings from the latest GitGuardians State of Secrets Sprawl report.

1. BianLian threat actors exploit JetBrains TeamCity flaws

The BianLian ransomware operation is now exploiting known vulnerabilities in JetBrains TeamCity software for extortion-only attacks. The latest attacks began by exploiting these vulnerabilities and ended in the deployment of a PowerShell implementation of BianLian’s backdoor.

BrianLian Initial access

BianLian gained access into the victim’s environment through a vulnerable TeamCity Server, leveraging CVE-2024-27198 and CVE-2024-42793.

The group created users in TeamCity and executed malicious commands under the product’s service account. After obtaining initial access the threat actor used Windows native commands to identify additional infrastructure. This allowed them to discover two build servers that were good candidates for additional exploitation.

winpty-agent.exe and winpty.dll were used to remotely run commands on these servers, resulting in the deployment of additional tools. One such additional tool deployed was a PowerShell script, web.ps1. Other tools needed to communicate with the C2 server and tools to dump credentials were also deployed.

Pivoting to PowerShell

The threat actor attempted to execute the Go backdoor that they typically use multiple times, failing each round. After several failures, the threat actor decided to pivot to a PowerShell implementation of the backdoor, which operated very similarly to their traditional Go backdoor.

After deobfuscating the PowerShell script, GuidePoint was able to analyze it. One component within the script is the cakes function, which was used to resolve an IP address depending on what it was provided as a parameter. Once the IP address is confirmed, it is used to establish a TCP socket for communication.

There was also a cookies function that was used for most network connection management and some execution performed by the backdoor itself. By this point, researchers were able to determine that the backdoor’s purpose is to enable a remote attacker to conduct operations arbitrarily and in a similar fashion as the Go variant.

The culprit: BianLian

GuidePoint attributed this attack to BianLian from the last line of the PowerShell script, which revealed the calling of the cookies function with specific parameters specified.

After converting this, an IP address was revealed. This IP address had been previously associated with a server running a BianLian Go backdoor as recently as March 6, 2024.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This is not the first time we’ve reported on BianLian. BianLian is known to use custom Go backdoors that are tailored to each victim, which proves how capable they are of adapting. This latest attack proves their adaptability even further as they were able to pivot to a PowerShell / LotL technique quickly after realizing the planned Go backdoor was not successful.

As this example demonstrates, threat actors are increasingly proving their ability to keep up with evolving environments, especially as it relates to new vulnerabilities.

2. Ransomware attacks continue to accelerate

According to Symantec, ransomware attacks are continuing to occur at a rapid pace despite the slight decrease in attacks in the fourth quarter of 2023.

The latest research indicates ransomware threat actors are becoming better at adapting and refining their TTPs to respond to disruptions from law enforcement. Evidence suggests that vulnerability exploitation is now the main infection vector for ransomware attacks.

Key findings from Symantec’s report

Based on Symantec’s analysis of ransomware leak sites, there were roughly 4,700 victims of ransomware in 2023 and 2,800 victims in 2022. While there was a slight decrease in attacks during the last quarter of 2023, attacks overall were still up compared to prior years.

One reason behind this increase is the fact that ransomware threat actors are strategically adapting their TTPs to respond to various disruptions and takedowns and continue their objectives.

Symantec notes a disparity between the number of victims claimed on ransomware leak sites and the actual ransomware activity they investigated. Based on their collected data, the Noberus ransomware threat actor was responsible for a greater percentage of attacks.

Top ransomware vectors

Threat actors are turning to vulnerability exploitation as a means of initial access for ransomware attacks.

Some of the most exploited vulnerabilities last year that resulted in ransomware attacks include:

• CVE-2022-47966: ZOHO ManageEngine
• Various Microsoft Exchange Server vulnerabilities
• CVE-2023-2966: Citrix NetScaler ADC and NetScaler Gateway
• CVE-2023-20269: Cisco ASA and Cisco FTD VPN

Tooling

Threat actors are growing their portfolios to include custom and dual-use tools to evade detection. Ransomware actors are also pivoting to leverage the bring your own vulnerable driver (BYOVD) technique more frequently.

Some of the tools seen in recent ransomware attacks include:

• HopToDesk: A publicly available remote desktop tool. AnyDesk and Atera are also commonly used.
• TrueSightKiller: A publicly available tool that makes use of the BYOVD technique and disables security software.
• GhostDriver: A tool that makes use of the BYOVD technique and disables AV.
• StealBit: A custom data exfiltration tool; associated with LockBit.

Techniques

Symantec mentioned two noteworthy techniques that are now being used in ransomware attacks.

1. The first is esentutl, which involves dumping credentials via a Windows command line tool. This technique is now being used to dump credentials from browsers.
2. The other technique is the use of malicious tools to obtain and decrypt user credentials that are stored via Microsoft’s Data Protection API.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Ransomware isn’t going away anytime soon. While disruptions from law enforcement may cause a temporary drop in ransomware attacks, it is not enough to diminish the threat that ransomware actors pose.

This is not to say that the efforts by law enforcement are a waste of time. Oftentimes, they damage the threat actor’s reputation and/or infrastructure. Further, the mounds of public reporting on various ransomware attacks, while helpful to defenders, only drive threat actors to look for new techniques, hence their ability to quickly pivot and adapt.

3. More than 12 million secrets and keys leak on GitHub

According to GitGuardian’s State of Secrets Sprawl report, more than 12.8 million authentication and sensitive secrets across 3 million public repositories were exposed by GitHub users in 2023.

The exposed secrets include account passwords, API keys, TLS/SSL certs, encryption keys, cloud service credentials, OAuth tokens, and other data. What’s more, most of the secrets and keys were still valid five days after becoming aware of the exposure.

Noteworthy findings

Hard-coded credentials have been a root cause of security incidents for quite some time. GitGuardian has been tracking and reporting hard-coded secrets since 2020, finding that there was a 28% increase in secrets detected on GitHub from 2022 to 2023.

Researchers also found that 90% of exposed valid secrets remain active for five days after the author receives a notification. GitGuardian sent out 1.8 million email alerts last year that identified an exposed secret, of which only 33,242 were revoked within five days. This statistic emphasizes the fact that remediation is just as, if not more, important than detecting such activity.

GitGuardian broke their data down further to identify the countries and sectors with the most leaks. India was the country with the most leaks followed by the U.S. and Brazil. The IT sector accounted for 65.9% of the leaks.

Their data was again broken down into specific vs. generic secrets, finding that specific secrets accounted for the majority. Looking closer at these specific secrets, they identified over a million valid Google API secrets, 250,000 Google Cloud, and 140,000 AWS IAM.

What happens after secret leaks?

Once a secret is leaked, it is critical that it quickly gets revoked to avoid further impact. As noted, greater than 90% of the secrets identified by GitGuardian were still valid several days later. Further, only 2.6% of the secrets were revoked within an hour of the notification email being sent.

Analyst comments from Tanium’s Cyber Threat Intelligence team

It’s shocking to learn that more than 90% of secrets were still valid five days after being notified that they were accidentally leaked.

This research not only provides some staggering statistics but also puts into perspective that great detection efforts are simply not enough. Detection efforts don’t mean much if the team responsible for remediation isn’t properly guided and knowledgeable on how to fix mistakes.

Now more than ever, being able to answer what happens after secret leaks — or what happens after any specific security incident is identified — is critical.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.