GitHub reveals: Attackers compromised dozens of organizations using stolen OAuth tokens

dcexpert

GitHub reveals: Attackers compromised dozens of organizations using stolen OAuth tokens [Copy link]

GitHub revealed today that an attacker is using stolen OAuth user tokens (originally issued to Heroku and Travis-CI) to download data from private repositories. Since the campaign was first discovered on April 12, 2022, the threat actor has accessed and stolen data from dozens of victim organizations using OAuth applications (including npm) maintained by Heroku and Travis-CI.

"These integrators maintain applications that are used by GitHub users, including GitHub itself," GitHub Chief Security Officer (CSO) Mike Hanley revealed today. "We do not believe the attackers obtained these tokens by compromising GitHub or its systems, as GitHub does not store these tokens in a raw, usable format. Our analysis of other behavior by the threat actor suggests the actor may be mining the contents of downloaded private repositories accessible with stolen OAuth tokens for secrets that could be used to penetrate other infrastructure."

According to Hanley, the list of affected OAuth applications includes:

Heroku Dashboard（ID：145909）

Heroku Dashboard (ID: 628778)

Heroku Dashboard - Preview (ID: 313468)

Heroku Dashboard - Classic (ID: 363831)

Travis CI (ID: 9216)

GitHub Security discovered unauthorized access to GitHub's npm production infrastructure on April 12, after the attacker used a compromised AWS API key. The attacker likely obtained the API key after using stolen OAuth tokens to download multiple private npm repositories.

"After discovering a broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm's internal use of these compromised applications," Hanley added. The impact on the npm organization included unauthorized access to private repositories on GitHub.com and "potential access" to npm packages on AWS S3 storage.

While the attackers were able to steal data from the compromised repositories, GitHub maintains that no packages were modified and no user account data or credentials were accessed during the incident.

"npm uses completely different infrastructure than GitHub.com; GitHub was not impacted in this original attack," Hanley said. "While the investigation is ongoing, we have not found any evidence that other GitHub-owned private repositories were cloned by the attackers using stolen third-party OAuth tokens."

Source: https://www.cnbeta.com/articles/tech/1258953.htm

led2015

I used to envy those who have such strong skills that I don’t have them.