Day 20 of Advent of cyber 2023!

Backstory!

The Best Festival Company's acquisition of AntarctiCrafts was driven by their advanced automation pipelines, streamlining building, wrapping, and crafting processes. Yet, a threat emerges as the source control system is tampered with, hinting at potential Poisoned Pipeline Execution (PPE). Suspicions point to McGreedy and rogue Frostlings, raising concerns about the security of the GitLab CI/CD environment. The automated system, vital for processing services and software development, faces risks due to compromised configuration files. This task focuses on understanding and countering PPE, necessitating the identification and mitigation of potential attacks to safeguard the integrity of CI/CD pipelines.

Learning Objectives

In today's task, you will:

• Learn about poisoned pipeline execution.

• Understand how to secure CI/CD pipelines.

• Get an introduction to secure software development lifecycles (SSDLC) & DevSecOps.

• Learn about CI/CD best practices.

GitLab and SDLC Concepts

GitLab Overview: GitLab facilitates collaboration and automation across the Software Development Lifecycle (SDLC). Built around Git, a distributed version control system, it manages code changes effectively.

Key Components:

1. Version Control System (VCS): Tracks and manages code changes, fostering collaboration and preserving project history.

2. CI/CD Pipelines: Automates building, testing, and deployment, ensuring consistent integration and delivery to specified environments.

3. Security Scanning: Incorporates SAST, DAST, container scanning, and dependency scanning to identify and mitigate security threats.

CI/CD Fundamentals

Continuous Integration (CI): Enables frequent code integration, triggering automations for builds and tests. CI validates code changes continuously, enhancing security through regular scans.

Continuous Deployment (CD): Automates code deployment to various environments, ensuring secure and consistent delivery. CD pipelines integrate security checks before deploying to production.

DevSecOps Integration

DevSecOps Overview: An extension of DevOps, DevSecOps integrates security into CI/CD and SDLC, aiming for improved collaboration and threat reduction.

CI/CD Attacks: Poisoned Pipeline Execution (PPE)

PPE Overview: This attack compromises a stage in the SDLC, exploiting trust boundaries in CI/CD's automated supply chain. Attackers inject malicious code into the pipeline, emphasizing the need for secure gates and guardrails.

Scenario: Frostlings Invasion

Mission for DevSecOps Engineer: Frostlings infiltrate AntarctiCrafts' GitLab CI/CD pipeline, attempting to poison the Advent Calendar build process. DevSecOps engineers must uncover and mitigate this attack to ensure the calendar remains free from malicious alterations during the holiday season.

Investigating DevSecOps Breach

Overview: As a DevSecOps engineer, the task is to uncover and mitigate issues within AntarctiCrafts' Advent Calendar project. Detective Frost-eau has reported anomalies, suspecting Frostlings' involvement. Initial examination reveals an irregular testing phase and a compromised production site.

Merge Request Oversight: Reviewing the "Merge requests" tab exposes Frostlino's unreviewed changes, merged without code inspection. The "Update .gitlab-ci.yml" alterations hint at potential issues.

Job Execution Analysis: Inspecting job logs in the "Jobs" section indicates extensive testing activities affecting the production site. Contrary to the defined rules in ".gitlab-ci.yml," the testing environment is impacting the main site.

Branch Rules Discrepancy: Examining the branch rules in the configuration file, it becomes apparent that jobs are triggered even on non-main branches, contradicting the intended CI/CD setup.

Production Site Defacement: Visiting the Advent Calendar website reveals defacement, possibly orchestrated by Frostlings. Investigating the pipeline logs in the "Pipelines" section unveils a significant breach.

Malicious Code Injection: Detailed analysis of the "test" job logs exposes malicious commands inserted during testing. Commands include revealing user information, listing directory contents, and dynamically generating an HTML file with a defaced Advent Calendar image.

Mitigation Steps:

1. Immediate Incident Response:

   • Freeze all activities.

   • Revoke unnecessary privileges.

2. Code Review and Rollback:

   • Review recent code changes thoroughly.

   • Roll back the changes introduced by Frostlino.

3. Pipeline Security Enhancements:

   • Reinforce pipeline rules to align with SDLC principles.

   • Implement stricter access controls for merging.

4. Environment Validation:

   • Validate the integrity of the production environment.

   • Ensure no persistent vulnerabilities.

5. User Access Audit:

   • Conduct an audit of user privileges.

   • Revoke any suspicious or unnecessary access.

6. Communication and Awareness:

   • Notify relevant stakeholders of the incident.

   • Reinforce security protocols and best practices.

This comprehensive approach aims to address the immediate breach, secure the pipeline, and fortify the overall DevSecOps posture to prevent future incidents.

Mitigating and Remedying the Attack

Attack Summary: The "Test" step in the GitLab CI/CD pipeline orchestrated by Frostlino has defaced the Best Festival Company's Advent Calendar. Collaborating with Tracy McGreedy, the attack aims to tarnish the company's reputation.

Identifying the Source:

1. Access the commit history to locate the original code committed by Delf Lead, responsible for maintaining the project's integrity.

   • Navigate to the commit menu and find the commit with Delf Lead's original code.

2. View the original code and copy its contents.

   • Click on the commit, then select the "View file" button to access and copy the original code.

Remediation Steps:

1. Return to the repository and edit the ".gitlab-ci.yaml" configuration file.

   • Click the "Edit" button.

2. Replace the compromised code with the original code copied from Delf Lead's commit.

   • Commit the changes and wait for the job to complete, restoring the calendar to its normal state.

Preventative Measures:

1. Enforce Branch Protection:

   • Configure protected branches to restrict unauthorized changes. Set "Allowed to push" to no one, requiring code review via merge requests.

1. Artifact Management:

   • Set artifact expiration to limit retention, preventing the persistence of malicious changes. This reduces the risk of compromised artifacts affecting web servers.

2. Pipeline Visualization:

   • Utilize pipeline visualization to monitor and comprehend pipeline activities. Regularly access the "pipeline view" to identify anomalies.

3. Static Analysis and Linters:

   • Implement static code analysis and linting tools, such as GitLab's built-in SAST, within the CI/CD pipeline to identify security vulnerabilities.

4. Access Control Review:

   • Ensure proper access controls by limiting repository and pipeline access. Admins should promptly remove unauthorized users like Frostlino.

5. Regular Security Audits:

   • Conduct routine reviews of ".gitlab-ci.yml" files to detect suspicious or unintended changes, preventing tampering with critical projects.

6. Optimize Pipeline Stages:

   • Only include essential stages in the pipeline, eliminating unnecessary commands or stages to minimize the attack surface.

These comprehensive measures fortify the DevSecOps posture, preventing future attacks, and ensuring the integrity of the CI/CD pipeline and project codebase.

Question: What is the handle of the developer responsible for the merge changes?

Answer: @badsecops

Question: What port is the defaced calendar site server running on?

Answer: 9081

Question: What server is the malicious server running on?

Answer: Apache

Question: What message did the Frostlings leave on the defaced site?

Answer: FROSTLINGS RULE

Question: What is the commit ID of the original code for the Advent Calendar site?

Answer: 986b7407