GitHub picks Friday 13th to kill off password-based Git authentication

In brief If your Git operations start failing on Friday, August 13 with GitHub, it may well be because you're still using password authentication – and you need to change that.

In December, the source-code-hosting giant warned it will end password-based authentication for Git pushes and the like. From 1600 UTC (1700 BST, 0900 PST) on Friday, that shutdown will come into effect. As such, you'll need to use authentication tokens to complete your Git operations with GitHub.

"As previously announced, starting on August 13, 2021, at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on GitHub.com," the Microsoft-owned biz said in an advisory on Thursday.

"Instead, token-based authentication (for example, personal access, OAuth, SSH Key, or GitHub App installation token) will be required for all authenticated Git operations."

Instructions for setting up authentication tokens are here.

ProxyShell Exchange exploit use spotted

We hope you've kept up with your Exchange Server updates, because miscreants are said to be probing for unpatched systems to hijack – specifically, systems saddled with the ProxyShell family of vulnerabilities.

In July, Microsoft patched CVE-2021-34473, an ACL bypass hole in Exchange Server; and CVE-2021-34523, an elevation-of-privilege flaw in the Exchange PowerShell backend, and in May, CVE-2021-31207, an Exchange Server security feature bypass vulnerability.

These three bugs, found by Orange Tsai of Devcore and privately disclosed to Microsoft, can be exploited in a chain by an unauthenticated miscreant to achieve arbitrary command execution on a vulnerable Exchange Server via TCP port 443. Orange Tsai demonstrated this attack at Pwn2Own 2021, and talked [PDF] about it in depth at last week's annual Black Hat conference in Las Vegas.

Following that presentation, a couple of folks recreated Orange's ProxyShell exploit chain, and documented it here.

And now, as spotted by security experts and Bleeping Computer, scumbags are scanning the internet for vulnerable Exchange servers seemingly in hope of backdooring them using ProxyShell exploit code, most likely with the intent of running ransomware, pivoting to other machines on the network, and/or exfiltrating information.

Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities. This one dropped a c# aspx webshell in the /aspnet_client/ directory: pic.twitter.com/XbZfmQQNhY

— Rich Warren (@buffaloverflow) August 12, 2021

The related ProxyLogon exploit chain was also used to inject ransomware into unpatched Microsoft Exchange servers. In short, make sure your Exchange servers are up to date with security fixes to avoid exploitation.

Gigabyte hit by data-stealing extortionists

Some servers belonging to Gigabyte were compromised by intruders, it emerged at the end of last week. The Taiwan-based motherboard maker insisted its production lines, sales, and daily operations were not affected by the cyber-attack, though it was reported that the biz's website went down at one point at least.

According to The Record, the RansomExx gang, believed to have compromised Gigabyte's systems, is threatening to leak 112GB of data said to have been siphoned from the manufacturer unless its demands are met. The files are said to contain information on not just Gigabyte but also Intel, AMD, and American Megatrends.

Gigabyte joins Acer, Quanta, and other Taiwanese tech giants that have fallen into the clutches of extortionware crooks. ®