Connect with us

Hi, what are you looking for?

Cyber Security

GitHub offers post-mortem on recent security breach

GitHub has revealed details of a security breach that has allowed an unknown attacker to download data from dozens of private code repositories.

The attacker authenticated to the GitHub API using stolen OAuth user tokens issued to two third-party OAuth integrators – Heroku and Travis-CI.

In most cases where the affected Heroku or Travis CI OAuth apps were authorized in the users’ GitHub accounts, the attacker listed all the user’s organizations before selecting targets.

More specifically, the attacker listed the private repositories for user accounts of interest, and then proceeded to clone some of those private repositories.

“Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps,” GitHub warned in a blog post.

“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot [attacks] into other infrastructure.”

Timeline

GitHub discovered the breach on April 12, when the attacker accessed GitHub’s npm production infrastructure, and disclosed the breach three days later.

Along with Heroku and Travis CI, GitHub has revoked all OAuth tokens to block further access, while still advising affected organizations to keep monitoring for suspicious activity.

Travis CI says it doesn’t believe that the incident poses a risk to customers. “The hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI application.

“This key does not provide access to any Travis CI customer repositories or any Travis CI customer data,” it said in a blog post.

“We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access.”

Heroku is advising customers who see evidence of exfiltration in their logs to check repositories for any credentials that may have been compromised, and mitigate access by disabling accounts and rotating credentials as needed. It also recommends revoking or rotating any exposed credentials.

“For the protection of our customers, we will not be reconnecting to GitHub until we are certain that we can do so safely, which may take some time,” it warned. “We recommend that customers use alternate methods rather than waiting for us to restore this integration.”

Source: https://portswigger.net/daily-swig/github-offers-post-mortem-on-recent-security-breach

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cyberattack that ultimately led to the breach of several U.S. officials’ email accounts was the result of a China-based threat actor accessing a...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The well-known watch manufacturing company Seiko disclosed the data breach notification recently on Aug 2023, targeted by the notorious threat group BlackCat/ALPHV. BlackCat/ALPHV Group has been...

Cyber Security

Privileged users typically hold crucial positions within organizations. They usually have elevated access, authority, and permission levels in the organization’s IT systems, networks, applications,...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO