Essential Insights
- Attackers are systematically enumerating GitHub organizations and repos using automated tools and dormant ‘ghost’ accounts to gather sensitive public and private data.
- They leverage compromised or long-inactive OAuth tokens and PATs, enabling stealthy access and potential cloning of private repositories.
- The reconnaissance activities could lead to targeted attacks, data breaches, or malicious modification of repositories, with threats escalating from information gathering to cloning and exploitation.
Threat Overview, Techniques, and Targets
Datadog Security Labs has identified a new campaign where attackers are systematically exploring companies’ GitHub accounts. They use automated tools and over 50 dormant accounts. These accounts are often years old and intentionally left inactive. Attackers also exploit compromised OAuth tokens and personal access tokens (PATs) from legitimate users.
The attackers rely on the GitHub API, which allows access to public data without authentication. They perform activities such as listing repositories, following user relationships, and examining organization memberships. They also conduct GraphQL queries on public objects. Some actors go beyond public data and clone private repositories. This is possible in some cases because data access is sometimes available without authentication.
Their goal is to map out an organization’s GitHub activity. They try to stay hidden by blending their actions with normal API traffic. This strategy makes it difficult to detect malicious activities early.
Impact, Security Implications, and Guidance
This campaign can lead to serious security issues. Attackers gather information about a company’s projects, members, and repository details. In some cases, they clone private repositories, risking data leaks. This can impact an organization’s confidentiality and intellectual property.
The activity may look like normal API use, making detection difficult. Large-scale mapping of a company’s GitHub environment could aid future attacks. Organizations should consider their security measures carefully.
Since specific remediation guidance is not provided in the information, organizations should consult their cybersecurity providers or relevant authorities for further advice. It is important to review access tokens, monitor for unusual activity, and strengthen security policies on GitHub accounts.
Continue Your Tech Journey
Explore the future of technology with our detailed insights on Artificial Intelligence.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
