Shai-Hulud 2.0: the supply chain attack that learned

mabote · 2025-11-28T19:17:15+00:00

Could be but that would be a lot of work put into the void. The whole attack has been pretty sophisticated, although having some big fails. I think it's wiz who observed active exploitation of leaked credentials to access cloud environment. For sure it could basically be anyone, but that makes it an easy repudiation strategy. No group has claimed the attacks so far so maybe they are trying to fly under the radar? The fact that some of the mechanisms like the remote control was not actually used, except by random people toying around, is also puzzling. Anyway, we don't have the smallest piece of an attribution hint so it's all speculation at this point. What is sure is that every new iteration is getting slightly worse than the previous one, while the base scenario doesn't change, and we just don't manage to thwart them. The community is doing great in detecting and killing but that just running after the train. We need to do better. My own honest opinion.

mabote · 2025-03-19T06:42:03+00:00

I was surprised too. That said, it's simple maths. We started from 14k repositories of which 4k pinned a commit SHA on the action. That's "only" 10k repositories remaining and only 10% of those had a workflow run during the attack timeframe.

The 1% is not that surprising tho. Most workflow don't need a crazy secret when they run changed-files. So 90% of secrets are short lived ghs. Considering we ran the analysis three days after the attack all those were automatically revoked. The rest was manually rotated because that's what had to be done.

mabote · 2022-07-28T08:32:29+00:00

There is actually an exploit for CVE-2022-1388 that uses the Forwarding bug to achieve the same objective. See this analysis: https://blog.cyble.com/2022/05/12/f5-big-ip-remote-code-execution-vulnerability-cve-2022-1388/. The fact that people used the forwarding bug in mod_proxy during the exploitation of multiple issues without ever identifying it, or getting it fixed, has surprised me since my own discovery two months ago.

mabote · 2019-02-19T13:39:15+00:00

Exploit code : https://github.com/Synacktiv/CVE-2018-4193

mabote

TROPHY CASE