Attackers Use Stolen OAuth App Token To Breach Dozens Of Organizations

Share post:

GitHub has confirmed a security breach that saw an attacker use stolen OAuth app tokens to steal private repositories from dozens of organizations.

The attack process involves authenticating the attacker authenticating to the GitHub API with the stolen oAuth tokens issues to Heroku and Travis CI, the attacker listing all of the user’s organizations, and the attacker selectively selects targets based on the organizations listed.

The attacker listed the private repositories for user accounts of interest, and the attacker then proceeded to clone some of those private repositories.

“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku,” GitHub said.

GitHub also shared guidelines that can assist customers in investigating logs for data exfiltration or malicious activity.

This includes checking all private repositories for secrets and credentials stored in them, checking oAuth applications authorized for a personal account, and adhering to GitHub policies to improve the security of their GitHub organizations.

Others include checking their account activity, personal access tokens, oAuth apps, and SSH keys for activity or changes that may have come from the attacker.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways