Post-mortem on a recent GitHub data breach

GitHub has recently disclosed its security was compromised performing and post-mortem. This attack allowed an unknown attacker to breach and take data from dozens of private code repositories.

What did they attacker do?

The attacker used stolen OAuth user tokens supplied to two third-party OAuth integrators Heroku and Travis-CI to authenticate to the GitHub API. Listing all of the user’s companies before picking targets in most cases where the impacted Heroku or Travis CI OAuth apps were authorised in the users GitHub accounts. Explicitly selected the private repositories for user accounts of interest before cloning some of those private repositories.

GitHub’s post-mortem

GitHub said in a blog post that “we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and utilised to download private repositories belonging to dozens of victim businesses that were using these apps.”

Based on past threat actor behaviour GitHub believe the actors are mining the contents of the downloaded private repository. Which the stolen OAuth token had access, for secrets that may be used to pivot [attacks] into other systems.

When the attacker gained access to GitHub’s npm production infrastructure on April 12, GitHub identified the incident and formally disclosed it three days later.

GitHub has revoked all OAuth tokens to prevent further access, supporting Heroku and Travis CI in doing so. Affected businesses should continue to monitor for suspicious activities.

Customers are not at risk, according to Travis CI.

The hacker gained access to a private application OAuth key used to connect the Heroku and Travis CI applications after breaking into a Heroku service.

In a blog post, it stated that “this key does not enable access to any Travis CI customer repositories or data.”

GitHub extensively reviewed this issue and discovered no indication of penetration into a private client repository (i.e. source code) because the OAuth key acquired in the Heroku attack does not allow for such access.

What customers should do

Customers that find indications of exfiltration in their logs should examine repositories for any credentials that may have been compromised. Then disable accounts and rotate credentials as needed to mitigate access. It also suggests cancelling or rotating any credentials that have been exposed.

For the sake of our clients’ safety, we will not reconnect to GitHub until we are confident that we can do so safely, which may take some time, Heroku stated. Rather than waiting for us to restore this integration, we propose that clients use alternative options.

Last weeks article on VirusTotal is available here.

Share This Post:

Facebook
Twitter
LinkedIn
Pinterest
Email
WhatsApp
Picture of Adam Cooke
Adam Cooke
As the Operations and Compliance Manager, Adam oversees all aspects of the business, ensuring operational efficiency and regulatory compliance. Committed to high standards, he ensures everyone is heard and supported. With a strong background in the railway industry, Adam values rigorous standards and safety. Outside of work, he enjoys dog walking, gardening, and exploring new places and cuisines.
What our clients say:
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue