The Deep Purple Sec – Mar 2025

📝 CodeQLEAKED – Public Secrets Exposure Leads to Supply Chain Attack on GitHub CodeQL
A researcher discovered a publicly exposed secret in a GitHub Actions workflow artifact, which could have led to a supply chain attack on GitHub CodeQL, GitHub’s code analysis engine. The secret, a GitHub App token, had full write privileges and could have been used to create branches, push files, and create tags in repositories. The researcher was able to create a new branch, push a file, and create a tag using the token before it expired, demonstrating the potential impact of the vulnerability.

GitHub acknowledged the issue and temporarily disabled the workflow that uploaded the token, and later assigned it a CVE number. The researcher recommended limiting the risk of secrets exposure by only uploading specific files or directories as workflow artifacts, avoiding uploading artifacts containing environment variables, and limiting GITHUB\_TOKEN permissions to read-only.

📌 Source: https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/

📝 SAML roulette: the hacker always wins
This article describes a vulnerability in the Ruby-SAML library, used by GitLab Enterprise for SAML authentication. This flaw allows an attacker to gain unauthenticated admin access by exploiting « round-trip » attacks and namespace confusion.

Researchers discovered that differences in how the REXML and Nokogiri parsers handle XML documents can be exploited to bypass signature verification, enabling an attacker to impersonate another user. Although GitHub has patched this vulnerability, the complete technical details are shared to enhance overall security by raising awareness of these types of threats.

📌 Source: https://samcurry.net/hacking-subaru

📝 Glpwnme
glpwnme is a tool used to check for vulnerabilities on running instance of glpi. It has been released by Orange CyberDefense on github.

📌 Source: https://github.com/Orange-Cyberdefense/glpwnme

📝 Defending off the land – Thinkst Scapes Q42024
The « Defending off the land – Agentless defenses available today » talk explores the concept of using only built-in operating system tools to enhance cyber defenses, an approach known as « defending-off-the-land » (DoL). Researchers developed 11 capabilities, including setting traps to detect attempts to use OS features like Windows RDP or WinRM, and monitoring file access in specific directories. They also utilized the built-in Hyper-V virtualization framework to deploy an OpenCanary honeypot, silently redirecting attackers to a virtual machine. Additionally, a new capability allows for the creation of fake SSO app registrations in IdP dashboards to detect attackers with stolen credentials.

BlackNoise’s viewpoint: Our Deep Purple Report 2025 confirms this observation. EDR/XDR type tools cannot effectively detect the classic attacker pattern of living-off-the-land. They must be complemented by other approaches.

📌 Source: https://thinkst.com/ts//

📘 Go Beyond The MITRE ATT&CK Evaluation To The True Cost Of Alert Volumes
MITRE’s latest ATT&CK Evaluation results were released in December 2024, with Forrester publishing several reports providing insights and cost calculations for the evaluation. Key findings include the elusiveness of true correlation and the high alert volumes generated by some vendors, which can significantly impact incident responders and increase costs. The cost of excess alerting was emphasized, with the cost to bring alerts into a SIEM platform varying greatly between vendors.

📌 Source: https://www.forrester.com/blogs/go-beyond-the-mitre-attck-evaluation-to-the-true-cost-of-alert-volumes/

🛠️ Security lists for SOC/DFIR detections
A collection of useful lists around detection needs (Suspicious Windows Services, Suspicious Windows Tasks, Suspicious User-agent…), IOC, DFIR tools, and information intended for SOC and Purple Team

📌 Source: https://github.com/mthcht/awesome-lists

🛠️ Security lists for SOC/DFIR detections
The ANSSI report « Cloud Sector – State of Cyber Threats » (February 2025) highlights threats to cloud infrastructures, noting that while cloud computing offers flexibility, it poses significant cybersecurity challenges due to complexity and reliance on providers.
The report identifies three main threat categories:

• Profit-driven attacks: Exploiting vulnerabilities for ransomware or data theft.
• Espionage-driven attacks: Targeting cloud infrastructures for industrial and state espionage.
• Destabilization attacks: DDoS attacks disrupt critical services.

The ANSSI notes cybercriminals use cloud services for malicious activities and provides 36 recommendations for security measures. It promotes the SecNumCloud label as a certification for cloud services in France.

📌 Source: https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-001/