Attacker breached dozens of orgs utilizing stolen OAuth tokens

0
151

[ad_1]

GitHub revealed right now that an attacker is utilizing stolen OAuth person tokens (issued to Heroku and Travis-CI) to obtain knowledge from non-public repositories.
Since this marketing campaign was first noticed on April 12, 2022, the menace actor has already accessed and stolen knowledge from dozens of sufferer organizations utilizing Heroku and Travis-CI-maintained OAuth apps, together with npm.
“The purposes maintained by these integrators had been utilized by GitHub customers, together with GitHub itself,” revealed right now Mike Hanley, Chief Safety Officer (CSO) at GitHub.
“We don’t imagine the attacker obtained these tokens by way of a compromise of GitHub or its methods, as a result of the tokens in query should not saved by GitHub of their authentic, usable codecs.
“Our evaluation of different conduct by the menace actor means that the actors could also be mining the downloaded non-public repository contents, to which the stolen OAuth token had entry, for secrets and techniques that might be used to pivot into different infrastructure.”
In line with Hanley the record of impacted OAuth purposes contains:
Heroku Dashboard (ID: 145909)
Heroku Dashboard (ID: 628778)
Heroku Dashboard – Preview (ID: 313468)
Heroku Dashboard – Traditional (ID: 363831)
Travis CI (ID: 9216)
GitHub Safety recognized the unauthorized entry to GitHub’s npm manufacturing infrastructure on April 12 after the attacker used a compromised AWS API key.
The attacker seemingly obtained the API key after downloading a number of non-public npm repositories utilizing stolen OAuth tokens.
“Upon discovering the broader theft of third-party OAuth tokens not saved by GitHub or npm on the night of April 13, we instantly took motion to guard GitHub and npm by revoking tokens related to GitHub and npm’s inner use of those compromised purposes,” Hanley added.
The affect on the npm group contains unauthorized entry to non-public GitHub.com repositories and “potential entry” to npm packages on AWS S3 storage.

GitHub has uncovered proof that an attacker abused stolen OAuth person tokens issued to 2 third-party OAuth integrators, Heroku and Travis-CI. Learn extra concerning the affect to GitHub, npm, and our customers. https://t.co/eB7IJfJfh1
— GitHub Safety (@GitHubSecurity) April 15, 2022
GitHub’s non-public repositories not affected
Whereas the attacker was capable of steal knowledge from the compromised repositories, GitHub believes that not one of the packages had been modified and no person account knowledge or credentials had been accessed within the incident.
“npm makes use of fully separate infrastructure from GitHub.com; GitHub was not affected on this authentic assault,” Hanley mentioned.
“Although investigation continues, now we have discovered no proof that different GitHub-owned non-public repos had been cloned by the attacker utilizing stolen third-party OAuth tokens.”
GitHub is engaged on notifying all impacted customers and organizations as they’re recognized with further info.
It is best to evaluation your group’s audit logs and the person account safety logs for anomalous, potential malicious exercise.
You could find extra info on how GitHub responded to guard its customers and what prospects and organizations have to know within the safety alert printed on Friday.

[ad_2]