Executive Summary

Security researchers at the Wiz Customer Incident Response Team (CIRT) have identified a sophisticated attack path they call "code-to-cloud," which allows threat actors to pivot from a compromised code repository into a production cloud environment. This attack leverages leaked or compromised GitHub Personal Access Tokens (PATs). Even a PAT with basic read-only permissions can be used to discover the names of GitHub Action Secrets, which often contain high-value credentials for Cloud Service Providers (CSPs). If the attacker obtains a PAT with write access, they can modify CI/CD workflows to exfiltrate these secrets and gain direct access to the victim's cloud infrastructure. This creates a stealthy and highly impactful attack vector that bypasses traditional network perimeter defenses.

Threat Overview

The attack capitalizes on the tight integration between modern development platforms like GitHub and cloud environments (e.g., AWS, Azure, GCP). The core of the threat lies in the misuse of GitHub PATs, which are often over-provisioned and poorly monitored.

The attack flow proceeds as follows:

1. Compromise PAT: An attacker obtains a GitHub PAT, either through public leaks, social engineering, or malware.
2. Discover Secrets: Using the PAT, the attacker queries the GitHub API to list the names of all GitHub Action Secrets within the repository. Critically, Wiz researchers found that these API search calls are not logged in GitHub Enterprise, making this reconnaissance phase invisible.
3. Exfiltrate Secrets: If the PAT has workflow write permissions, the attacker modifies an existing GitHub Actions workflow file or creates a new one. This malicious workflow is configured to access the discovered secrets and exfiltrate their values to an attacker-controlled server.
4. Pivot to Cloud: With the exfiltrated CSP credentials (e.g., AWS access keys, Azure service principal credentials), the attacker now has direct access to the victim's cloud environment.
5. Cover Tracks: The attacker can use the same PAT to delete the malicious workflow file or revert changes to hide their activity.

This threat is exacerbated by poor security hygiene. Wiz data shows that 73% of organizations store CSP credentials in GitHub Action Secrets, and 45% have plain-text cloud keys in private code repositories.

Technical Analysis

This attack chain leverages several MITRE ATT&CK techniques:

• Credential Access: T1552.006 - Unsecured Credentials: GitHub Personal Access Tokens. This is the entry point of the attack.
• Discovery: T1598.003 - Spearphishing Link is not correct. It should be related to discovering cloud secrets. A better fit is T1552 - Unsecured Credentials as a general category, or a more specific discovery technique like T1087 - Account Discovery. The core action is discovering the existence of secrets.
• Execution: T1059.006 - Python or T1059.004 - Unix Shell within a malicious GitHub Actions workflow.
• Collection: T1530 - Data from Cloud Storage Object is not quite right. The action is collecting the secrets themselves. T1552.005 - Cloud Credentials is more appropriate as the goal.
• Defense Evasion: T1562.007 - Disable or Modify Cloud Firewall is not correct. A better fit is T1070.005 - Network Share Connection Removal or more generally T1564 - Hide Artifacts by deleting workflow logs/files.

Let's refine the TTPs:

• Credential Access: T1552.006 - Unsecured Credentials: GitHub Personal Access Tokens
• Execution: T1059 - Command and Scripting Interpreter via CI/CD pipeline modification.
• Collection: T1552.005 - Cloud Credentials
• Lateral Movement: The pivot from GitHub to the cloud environment itself constitutes lateral movement between distinct platforms.

Impact Assessment

A successful code-to-cloud attack can be catastrophic, as it bridges the gap between development and production environments. Potential impacts include:

• Full Cloud Environment Compromise: Attackers can gain administrative access to the cloud environment, allowing them to steal data, deploy ransomware on cloud assets, or disrupt services.
• Massive Data Exfiltration: Access to production databases and storage buckets can lead to the theft of enormous volumes of sensitive company and customer data.
• Supply Chain Attack: Attackers could use their access to inject malicious code into the application, which is then deployed to customers.
• Cryptojacking: Attackers can spin up powerful cloud resources to mine cryptocurrency at the victim's expense.

Cyber Observables for Detection

Detection & Response

• GitHub Audit Log Monitoring: Regularly review GitHub audit logs for suspicious PAT activity. Look for PATs created without expiry dates, PATs with excessive permissions (repo, workflow), and PATs being used from anomalous IP addresses or geographic locations. This is an application of D3FEND's D3-UGLPA: User Geolocation Logon Pattern Analysis.
• CI/CD Pipeline Monitoring: Implement monitoring for your workflows directory in GitHub. Alert on any commit that modifies a workflow file, especially those that add new steps involving shell commands or network requests. This is a form of D3-SFA: System File Analysis.
• Cloud Threat Detection: Use a Cloud Security Posture Management (CSPM) or Cloud-Native Application Protection Platform (CNAPP) tool to detect anomalous behavior in your cloud environment. Correlate alerts with recent GitHub Actions runs. For example, an alert for a new IAM user being created by credentials that are only used in CI/CD is a major red flag.

Mitigation

1. Adopt OIDC for Cloud Authentication: The most effective mitigation is to stop using long-lived static credentials (like AWS access keys) in GitHub Actions. Instead, use OpenID Connect (OIDC) to establish a trust relationship between GitHub and your CSP. This allows workflows to request short-lived, ephemeral credentials directly from the CSP for each job, eliminating the need to store secrets in GitHub. This is a form of D3-ANCI: Authentication Cache Invalidation.
2. Enforce PAT Best Practices: If PATs must be used, enforce strict policies:
   • Expiration: Mandate that all PATs have a short expiration date (e.g., 30 days).
   • Least Privilege: Ensure PATs are scoped with the minimum required permissions. A PAT that only needs to read code should not have workflow or write permissions.
   • Fine-Grained PATs: Use fine-grained PATs that can be restricted to specific repositories.
3. Secret Scanning: Implement automated secret scanning in your pre-commit hooks and CI/CD pipelines to prevent any hard-coded credentials from ever entering the codebase.
4. Workflow Hardening: Use GitHub features like environment protection rules to require manual approval for workflows that access sensitive environments or secrets.