IBM X-Force’s SCMKit finds blind spots in source-code management systems

IBM researcher Brett Hawkins says the toolkit shows how attackers can abuse common features of SCM systems.
article cover

SOPA/Getty Images

· 4 min read

Cybersecurity pros have typically focused on build integrity to defend against software supply-chain attacks—but developers should be equally wary of how unauthorized access to the source code management (SCM) systems, which track source code changes, could be just as devastating, according to IBM X-Force Red’s Brett Hawkins.

Hawkins’s job at IBM centers on adversary simulation, demonstrating the potential impact of security holes and vulnerabilities to clients. Last week at Black Hat, he presented a new tool called SCMKit, which is intended to show users how attackers could use compromised credentials to hijack SCM tools like GitHub Enterprise, GitLab Enterprise, and Bitbucket Server. The toolset, available on Github, illustrates how such a breach could lead to supply-chain attacks or a hacker’s lateral movement to other DevOps tools, like the build or package repository systems.

SCMKit has “three primary purposes,” or modules, Hawkins told IT Brew in an interview. Those include reconnaissance, which allows exploration of repositories or code, and privilege escalation, which could allow users to elevate accounts under their control to the admin level. There’s also a module for persistence, or the use of personal access tokens or SSH keys to maintain access to the compromised SCM system. All of this can be accomplished via the same interface as regular users.

“It’s all about abusing the features that are available within the system,” Hawkins said. “So, yeah, no vulnerabilities…The reason I chose GitLab, GitHub Enterprise, and Bitbucket Server is because those are the three most popular systems that our team sees. During engagements, we go after these systems.”

“Let’s say there’s a specific repository you’re interested in gaining access to, to conduct a software supply-chain attack,” Hawkins added, “You could use one of the reconnaissance modules to search for repositories by that keyword name.” Another example would be using SCMKit’s privilege escalation module to validate the privileges in a stolen API key (perhaps left laying around in a user folder) that contains administrative privileges for an SCM system.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

SCMKit demonstrates how proper configuration settings can prevent an attacker from gaining access to source code or stop them in their tracks before they can distribute malware, according to Hawkins.

For example, hackers using stolen credentials to access a third-party SCM can’t prevent it from logging activities. Hawkins’ research outlines how users can filter those logs for telltale signs of an attack. SCMKit also highlights other basic precautions organizations can take, such as forcing expiration dates of access tokens and SSH keys, or enabling multi-factor authentication as a prerequisite for any access that allows committing code.

“If somebody commits code, make sure that there’s at least one approver that has to approve that code change,” Hawkins told IT Brew. “Also, make sure that all code commits are signed either with GPG keys or certificates. And then the last recommendation I would have in terms of [the] defensive aspect is…you should be forwarding [logs] to your security, incident, and event management system.”

Hawkins hopes SCMKit will motivate security researchers to pay as much attention to SCM systems as other highly-researched topics like Active Directory exploitation.

“Once attackers start paying attention, I think, it just takes a little while for adoption and kind of prioritization within organizations,” Hawkins said. “From an attacker perspective, I’m gonna try to take the path of least resistance for any attack path…These systems really are critical systems and they need top-level attention compared to Active Directory and other things like that.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.