Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Repository. Show all posts

New York Times Source Code Leaked Online


 

In January 2024, an exposed GitHub token led to a significant breach of The New York Times' repositories. The incident was initially identified and addressed swiftly by the company, but details have only recently emerged. The breach came to light after the stolen data was posted on the 4chan message board. An anonymous user shared a torrent link to a 273GB archive containing the pilfered data, marking one of the most substantial leaks in recent memory.

The leaked data includes around 5,000 repositories, comprising 3.6 million files. A notable portion of this data contains IT documentation, infrastructure tools, and a variety of source code. Among the stolen information is the source code for the popular game Wordle, which The New York Times acquired in 2022. The leak was first noticed by VX-Underground, a group known for monitoring and documenting malware samples and cybersecurity incidents.

The threat actor responsible for the leak reportedly accessed the repositories using an exposed GitHub token. This token granted them unauthorised access to the company’s code, enabling them to download and leak a vast amount of data. The breach's details were confirmed by The New York Times, which clarified that the exposed credentials were for a cloud-based third-party code platform, specifically GitHub.

The New York Times assured that the breach did not affect its internal corporate systems or its operations. In an official statement, the company highlighted that continuous monitoring for anomalous activity is part of their security measures. They emphasised that there was no indication of unauthorised access to Times-owned systems, underscoring their proactive approach in identifying and mitigating the breach promptly.

This leak is the second pressing incident disclosed on 4chan within the same week. Earlier, a leak involving 415MB of internal documents for Disney's Club Penguin game was reported. Sources indicate that this leak was part of a larger breach of Disney’s Confluence server, resulting in the theft of 2.5 GB of internal corporate data. It remains unclear if the same individual or group is responsible for both the New York Times and Disney breaches.

The breach of The New York Times' GitHub repositories stresses upon the importance of stringent digital security measures. As companies increasingly rely on cloud-based platforms for their operations, ensuring the security of access credentials and continuous monitoring for unauthorised activities are crucial steps in safeguarding sensitive information.


New Extortion Scheme Targets GitHub Repositories


 

A new wave of cyberattacks is targeting GitHub repositories, wiping their contents, and demanding ransom from victims. This alarming campaign, first identified on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity firm CronUp, is being orchestrated by a threat actor using the handle "Gitloker" on Telegram.

The attackers are reportedly compromising GitHub accounts using stolen credentials. Once they gain access, they delete the contents of the repositories and create a backup of the data, which they claim can restore the deleted information. The compromised repositories are then renamed, and a single README.me file is added, instructing victims to contact the attackers via Telegram for further details.

Victims receive a ransom note that reads, "I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup." This message is intended to coerce the victims into engaging with the attackers in hopes of recovering their lost data.

GitHub has yet to release an official statement regarding the Gitloker extortion campaign. However, the platform has previously advised users to take several precautionary measures to secure their accounts. These include changing passwords, enabling two-factor authentication, adding a passkey for secure, passwordless login, and reviewing account security logs to track any changes in the repositories.

Security Recommendations

To protect against such malicious activities, GitHub users are encouraged to:

Enable Two-Factor Authentication: This adds an extra layer of security to prevent unauthorised access.

Review and Revoke Unauthorised Access: Regularly check for and remove any unauthorised SSH keys, deploy keys, and integrations.

Verify Email Addresses: Ensure all email addresses associated with the account are verified.

Monitor Security Logs: Keep an eye on account security logs to detect any suspicious activities.

Manage Webhooks and Deploy Keys: Regularly review and manage webhooks and deploy keys on repositories.

Review Recent Commits and Collaborators: Continuously check recent commits and collaborators for each repository to identify any unauthorised changes.

Previous Attacks on GitHub

This is not the first time GitHub users have faced such threats. In March 2020, hackers compromised Microsoft's GitHub account, stealing over 500GB of files from private repositories. While the stolen data primarily consisted of code samples and test projects, there was concern that private API keys or passwords might have been exposed.

Phishing Campaigns

In September 2020, GitHub users were targeted by a phishing campaign that used fake CircleCI notifications to steal GitHub credentials and two-factor authentication codes. Once compromised, attackers quickly exfiltrated data from private repositories and added new user accounts to maintain access.




Dropbox Security Breach: Unauthorized Access to 130 Source Code Repositories

 

File hosting service, Dropbox reveals on Tuesday that it was the victim of a phishing campaign. The security breach allowed the unidentified threat actor to acquire unauthorized access to one of its GitHub accounts, compromising 130 of its source code repositories. 
 
"These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team," Dropbox published in an advisory. 
 
Dropbox discovered the breach on October 14, after GitHub reported the company of suspicious activities that began a day before the alert was sent. 
 
Upon further investigation of the security breach, it was disclosed that the source code accessed by the threat actors, contained the development team’s credentials, primarily API keys used by the team. 
 
"The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors (for context, Dropbox has more than 700 million registered users)." the company added in the published advisory. 
 
The cyberattack was introduced more than a month after both GitHub and CircleCI reported accounts of phishing attacks. The phishing campaign was allegedly designed in order to access GitHub credentials via fraudulent notifications purporting to be from the CI/CD platform. 
 
These fraudulent emails notified the online users that their CircleCI session has expired, ploying the victims into logging in through their GitHub credentials. 
 
"These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site," explains Dropbox. 
 
Alongside, GitHub in an advisory, stated, "While GitHub itself was not affected, the campaign has impacted many victim organizations." In regards to the recent phishing attacks, Dropbox confirmed that the attackers did not have access to customers’ accounts, password, or payment information, and its core apps infrastructure were not impacted in the breach. "Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled." the company noted.  
 
Furthermore, Dropbox told that it has been working on securing its environment following the security breach, using WebAuthn and hardware tokens or biometric factors.

GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

GitHub Supply Chain Attack Cloned Thousands of Repositories to Target Developers

 

GitHub, a code repository with more than 83 million developers, has been targeted in a supply chain attack.

The attack was unearthed earlier this week by software developer Stephen Lacy and involved a hacker cloning and adding malicious code to more than 35,000 GitHub repositories while keeping intact the code’s original source code. Nearly 40 percent (13,000) of the repositories compromised originated from a single organization, called “redhat-operator-ecosystem” on the site, a spoof of the RedHat openshift ecosystem. 

The cloned projects attempted to lure users to click on them by spoofing genuine user accounts, using names identical to the original project and legitimate-sounding firm names. 

The malicious code allowed the repositories to exfiltrate the environment variables containing sensitive data like Amazon AWS credentials, API keys, crypto keys, and a one-line backdoor. The malware also allowed remote hackers to execute arbitrary code on those systems that install/run the clones. 

The weaponized code could lead to developers accidentally downloading cloned code repositories that contain malicious code. If used in their applications, this would then lead them to expose their users to code that includes malware. 

Fortunately, Lacy thwarted the attack by removing the affected projects and organizations including Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned. 

According to security experts, cloning open-source code is common among developers. But, in this case, the hackers injected malicious code/links into genuine GitHub projects to target innocent users.

The methodology applied by hackers is identical to the approach unearthed by ReversingLabs last month, where typo-squatting packages were being picked up by GitHub-owned NPM, and then exfiltrated data from forms designed with the malicious packages. 

Additionally, the researchers identified more than two dozen infected packages, all cloning popular NPM packages, stretching back to December 2021. 

Thwarting supply chain attacks 

 GitHub has issued an advisory for guarding the code supply chain on its website. 

• For accounts employed for personal use as well as those used by organizations and enterprises, set up two-factor authentication. 
• Connect to GitHub using secure socket shell (SSH) keys. 
• For enterprises, centralize user authentication. 
• Design a vulnerability management program for dependencies which will allow them to have full visibility over any vulnerabilities the code they are using has. 
• Avoid using passwords or API keys within the source code. 
• Block vulnerable coding patterns by reviewing and examining all pull requests before merging.