Hello and welcome to the Tuesday, January 10th, 2023 edition of the Sandstone Storms, Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Big diary today is sort of related to Circle CI, but not related to the Circle CI breach recently.

And the diary is about, well, attackers who are searching for Circle CI configuration

files.

These YAML files are essentially scripts that tell CircleCi how to build a certain project and yes they may include

usernames and passwords so that's why the attackers are going after them in the

particular case that I observed in our honeypots there were two IP addresses both

hosted on OVH and likely related as they also scan for a number of similar

URLs like various configuration files for different software.

We keep seeing these configuration files being looked for sort of one of the more common attacks.

We do see in our honeypots, so make sure you properly configure these configuration files.

If possible, don't keep them in the document route or at least them.

Maybe you want to do both.

Configure your web server not to actually serve these configuration files.

Interestingly also that they went sort of for some backup files like with the dot-back extension,

which may be done in order to evade some of these filters if you were sloppy and left backup files behind.

And just to reiterate, this is not at all related to the Circle

CI breach, so you still want to rotate your credentials if you haven't done that yet.

And Amazon announced that it will now encrypt all objects stored in S3 by default. This has

been an option in the past, but now that's the default setting.

This essentially is no encryption at rest.

...