Nitesh Surana is a Senior Threat Researcher with Trend Micro where he specializes in cloud vulnerability & security research. He has been in the top 100 MSRC Most Valuable Security Researchers in 2023 for his submissions to Microsoft via the Zero Day Initiative. He has presented across conferences such as Black Hat [USA, Asia], HackInTheBox, HackInParis, Nullcon, c0c0n, Security BSides [Delhi, Bangalore, Ahmedabad], NDC Oslo and OWASP/Null Bangalore meetups. Apart from playing with packets and syscalls, Nitesh is found attending concerts and writing/playing music.
Socials: LinkedIn, Twitter, Mastodon, YouTube
FROM CODE TO CRIME: EXPLORING THREATS IN GITHUB CODESPACES @ VirusBulletin 2024, Dublin, Ireland
Cloud-based development environments enable developers to work from any device with internet access. Introduced during the GitHub Universe event in November 2022, Codespaces offers a customizable cloud-based IDE, simplifying project development. However, the openness of this service has been exploited by attackers, leading to in-the-wild campaigns leveraging GitHub Codespaces for developing, hosting, and exfiltrating stolen information.The presentation will showcase GitHub Codespaces' features and explore typical methods of abuse by threat actors, focusing on observed malicious campaigns. Highlighted is DeltaStealer, a credential-stealing malware family with diverse variants, some featuring unique capabilities like persistent Discord authentication compromise and cloud-based data exfiltration. Developed using GitHub Codespaces, these infostealers reveal interesting artifacts, including debug symbols, exposing insights into the developers' identities. The presentation will showcase social media evidence and conclude with practical recommendations on configuring cloud-based IDEs securely, identifying suspicious instances, and proactively addressing similar cyber threats.
| ZDI Advisory | Severity | Vulnerability |
|---|---|---|
| ZDI-24-581 | 10.0 | Microsoft Azure SQL Managed Instance Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
| ZDI-24-400 | 9.8 | Microsoft uAMQP for Python azure-iot-sdks-ci Uncontrolled Search Path Element Remote Code Execution Vulnerability |
| ZDI-24-396 | 9.8 | Microsoft Azure ODSP nikisos Uncontrolled Search Path Element Remote Code Execution Vulnerability |
| ZDI-24-369 | 5.3 | Google cAdvisor REST API Improper Access Control Information Disclosure Vulnerability |
| ZDI-24-208 | 9.8 | Microsoft Azure MCR VSTS CLI vstscli Uncontrolled Search Path Element Remote Code Execution Vulnerability |
| ZDI-23-1558 | 8.8 | Microsoft Azure US Accelarators Synapse SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
| ZDI-23-1528 | 10.0 | Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
| ZDI-23-1527 | 10.0 | Microsoft PC Manager SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability |
| ZDI-23-1056 | 4.4 | Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability |
| ZDI-23-1044 | 9.9 | Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability |
| ZDI-23-880 | 5.5 | Microsoft Azure Machine Learning Service DSIMountAgent Missing Authentication Information Disclosure Vulnerability |
| ZDI-23-380 | 6.5 | Microsoft Azure Machine Learning Service DSIMountAgent Missing Authentication Information Disclosure Vulnerability |
| ZDI-23-161 | 6.5 | Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability |
| ZDI-23-097 | 6.8 | Microsoft Azure Machine Learning Service JWT Cleartext Storage of Credentials Information Disclosure Vulnerability |
| ZDI-23-096 | 6.5 | Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability |
| ZDI-23-095 | 6.5 | Microsoft Azure Machine Learning Service Cleartext Storage of Credentials Information Disclosure Vulnerability |