GitHub: How Stolen OAuth Tokens Helped Breach Dozens of Orgs
GitHub has shared a timeline of this month’s security breach when a threat actor gained access to and stole private repositories belonging to dozens of organizations.
The attacker used stolen OAuth app tokens issued to Heroku and Travis-CI to breach GitHub.com customer accounts with authorized Heroku or Travis CI OAuth app integrations.
GitHub’s Chief Security Officer Mike Hanley says the company has yet to find evidence that its systems have been breached since the incident was first discovered on April 12th, 2022.
Also Read: The impact of GDPR and PDPA in Singapore
GitHub is still working on alerting all impacted users and organizations, with the company being in the process of sending the final notifications to affected GitHub.com users as of today.
An analysis of the attacker’s behavior, while he had access to compromised Github accounts, shows that the following activities were carried out on GitHub.com using the stolen OAuth app tokens:
- The attacker authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI.
- For most people who had the affected Heroku or Travis CI OAuth apps authorized in their GitHub accounts, the attacker listed all the user’s organizations.
- The attacker then selectively chose targets based on the listed organizations.
- The attacker listed the private repositories for user accounts of interest.
- The attacker then proceeded to clone some of those private repositories.
“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories,” GitHub said.
“GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku.”
Finding evidence of malicious activity
GitHub disclosed the breach on the evening of April 15th, three days after discovering the attack, when the malicious actor accessed GitHub’s npm production infrastructure.
In the initial stage of the attack, the threat actor used a compromised AWS API key acquired after downloading multiple private npm repositories using stolen OAuth user tokens.
While GitHub, Travis CI, and Heroku have revoked all OAuth tokens to block further access after discovering the attack, affected organizations are advised to keep monitoring their audit logs and user account security logs for potentially malicious activity linked to this incident.
GitHub shared the following guidance with potentially impacted customers to help them investigate logs for evidence of data exfiltration or malicious activity:
- Review all your private repositories for secrets or credentials stored in them. There are several tools that can help with this task, such as GitHub secret scanning and trufflehog.
- Review the OAuth applications that you’ve authorized for your personal account or that are authorized to access your organization and remove anything that’s no longer needed.
- Follow GitHub’s guidelines for hardening the security posture of your GitHub organization.
- Review your account activity, personal access tokens, OAuth apps, and SSH keys for any activity or changes that may have come from the attacker.
- Additional questions should be directed to GitHub Support.
You can find more info on how GitHub responded to protect its customers and what organizations need to know in the initial security alert.