DeepSource Resets Logins After Employee Falls For Sawfish Phishing

DeepSource Resets Logins After Employee Falls For Sawfish Phishing

GitHub notified DeepSource earlier this month of detecting malicious activity related to the startup’s GitHub app after one of their employees fell victim to the Sawfish phishing campaign.

DeepSource provides developers with automated static code analysis tools for GitHub, GitLab, and Bitbucket repositories that help spot and fix issues during code review. According to its website, the startup’s client list includes Intel, NASA, Slack, and Uber.

Sawfish’s operators targeted GitHub users starting with April 2020 as part of a series of spearphishing attacks specifically planned out to steal their credentials using phishing landing pages mimicking GitHub’s login page. 

DeepSource employee credentials stolen by Sawfish

According to a notification received by DeepSource on the morning of July 11, DeepSource users were making numerous requests from unusual IP addresses which triggered GitHub Security team’s attention which started tracking the activity as potentially malicious.

While GitHub couldn’t point out the source of the compromise at that time, within two hours, DeepSource rotated all its users’ tokens, client secrets, and private keys, as well as “all credentials and keys of employees who had access to production systems.”

Five days later, on July 16, the GitHub Security team informed DeepSource that one of their employees was compromised and had his GitHub app’s credentials stolen in the Sawfish phishing campaign.

“Unfortunately, GitHub’s privacy policy prevents them from sharing the affected user list with us, so we are disclosing this issue publicly while waiting for GitHub to complete their investigation,” DeepSource explained. “Our understanding is GitHub will notify the directly affected users as per their policies.”

“You should visit https://support.github.com/contact?subject=GH-0000502-3963-3+Log+Request&tags=GH-0000502-3963-3 and request logs from GitHub regarding repository downloads and other account activity to find any suspicious activity.”

DeepSource notified all its users via e-mail on the evening of July 20 about this security incident and plans to launch a security bug bounty program to have security researchers investigate its systems for security vulnerabilities.

Also read: Completed DPIA Example: 7 Simple Helpful Steps To Create

The Sawfish phishing campaign

In April, GitHub’s Security Incident Response Team (SIRT) alerted all customers of an ongoing phishing campaign now known as Sawfish that was actively collecting victims’ GitHub credentials and 2FA codes (if they were using a time-based one-time password (TOTP) mobile app).

As GitHub detailed, accounts protected using hardware security keys were not vulnerable to the Sawfish attack.

GitHub said that the attackers were using stolen credentials to take over their victims’ accounts and that they were also quickly downloading the contents of private repositories, including “those owned by organization accounts and other collaborators.”

“If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password,” GitHub added.

One year ago, phishers were also using GitHub’s platform to host phishing kits by abusing the service’s free repositories to deliver them via github.io pages.

Also read: 12 brief explanation about the benefits of data protection for business success