Attackers Use Stolen OAuth App Token To Breach Dozens Of Organizations

Share post:

GitHub has confirmed a security breach that saw an attacker use stolen OAuth app tokens to steal private repositories from dozens of organizations.

The attack process involves authenticating the attacker authenticating to the GitHub API with the stolen oAuth tokens issues to Heroku and Travis CI, the attacker listing all of the user’s organizations, and the attacker selectively selects targets based on the organizations listed.

The attacker listed the private repositories for user accounts of interest, and the attacker then proceeded to clone some of those private repositories.

“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku,” GitHub said.

GitHub also shared guidelines that can assist customers in investigating logs for data exfiltration or malicious activity.

This includes checking all private repositories for secrets and credentials stored in them, checking oAuth applications authorized for a personal account, and adhering to GitHub policies to improve the security of their GitHub organizations.

Others include checking their account activity, personal access tokens, oAuth apps, and SSH keys for activity or changes that may have come from the attacker.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Cyber Security Today, May 22, 2024 – LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more

LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more. Welcome to Cyber Security...

Google criticizes Microsoft’s security practices in new report

Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways