GitHub has shared a timeline of last month's security breach that saw an attacker using stolen OAuth app tokens to steal private repositories from dozens of organizations.
OAuth tokens were issued to two third-party integrators, Heroku and Travis-CI but were stolen by an unknown hacker. According to GitHub's Chief Security Officer Mike Hanley, the company is yet to unearth evidence that its systems have been breached since the incident was first identified on April 12th, 2022.
OAuth tokens are one of the go-to elements that IT vendors use to automate cloud services like code repositories and DevOps pipelines. While these tokens are useful for enabling key IT services, they are also susceptible to theft.
“If a token is compromised, in this case, a GitHub token, a malicious actor can steal corporate IP or modify the source to initiate a supply chain attack that could spread malware or steal PII from unsuspecting customers," Ray Kelly, a researcher at NIT Application Security, explained.
GitHub said it is in the process of sending the final notification to its customer. The firm’s examination of the hacker’s methodology includes the authentication of the GitHub API using the stolen OAuth tokens issued to accounts Heroku and Travis CI. It added that most of those affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were selective and attackers listed the private repositories of interest. Next, attackers proceeded to clone private repositories.
“This pattern of behavior suggests the attacker was only listing organizations to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku,” GitHub stated.
GitHub also issued recommendations that can assist users in investigating logs for data exfiltration or malicious activity. This includes scanning all private repositories for secrets and credentials stored in them, checking OAuth applications authorized for a personal account, and adhering to GitHub policies to improve the security of their GitHub organizations. Others include checking their account activity, personal access tokens, OAuth apps, and SSH keys for activity or changes that may have come from the malicious actor.