GitHub has recently disclosed its security was compromised performing and post-mortem. This attack allowed an unknown attacker to breach and take data from dozens of private code repositories.
What did they attacker do?
The attacker used stolen OAuth user tokens supplied to two third-party OAuth integrators Heroku and Travis-CI to authenticate to the GitHub API. Listing all of the user’s companies before picking targets in most cases where the impacted Heroku or Travis CI OAuth apps were authorised in the users GitHub accounts. Explicitly selected the private repositories for user accounts of interest before cloning some of those private repositories.
GitHub said in a blog post that “we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and utilised to download private repositories belonging to dozens of victim businesses that were using these apps.”
Based on past threat actor behaviour GitHub believe the actors are mining the contents of the downloaded private repository. Which the stolen OAuth token had access, for secrets that may be used to pivot [attacks] into other systems.
When the attacker gained access to GitHub’s npm production infrastructure on April 12, GitHub identified the incident and formally disclosed it three days later.
GitHub has revoked all OAuth tokens to prevent further access, supporting Heroku and Travis CI in doing so. Affected businesses should continue to monitor for suspicious activities.
Customers are not at risk, according to Travis CI.
The hacker gained access to a private application OAuth key used to connect the Heroku and Travis CI applications after breaking into a Heroku service.
In a blog post, it stated that “this key does not enable access to any Travis CI customer repositories or data.”
GitHub extensively reviewed this issue and discovered no indication of penetration into a private client repository (i.e. source code) because the OAuth key acquired in the Heroku attack does not allow for such access.
What customers should do
Customers that find indications of exfiltration in their logs should examine repositories for any credentials that may have been compromised. Then disable accounts and rotate credentials as needed to mitigate access. It also suggests cancelling or rotating any credentials that have been exposed.
For the sake of our clients’ safety, we will not reconnect to GitHub until we are confident that we can do so safely, which may take some time, Heroku stated. Rather than waiting for us to restore this integration, we propose that clients use alternative options.
Last weeks article on VirusTotal is available here.