• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
attacker breach ‘dozens’ of github repos using stolen oauth tokens

Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens

You are here: Home / Latest Cyber Security Vulnerabilities / Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens
April 28, 2022

GitHub shared the timeline of breaches in April 2022, this timeline encompasses the facts similar to when a menace actor acquired access and stole private repositories belonging to dozens of corporations.

GitHub exposed particulars tied to previous week’s incident in which hackers, making use of stolen OAuth tokens, downloaded details from private repositories.

“We do not think the attacker obtained these tokens by way of a compromise of GitHub or its techniques simply because the tokens in dilemma are not stored by GitHub in their first, usable formats,” stated Mike Hanley, chief security officer, GitHub.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The OAuth (Open up Authorization) is an open conventional authorization framework or protocol for token-based authorization on the internet. It permits the conclude-consumer account info to be applied by third-party products and services, these types of as Fb and Google.
Infosec Insiders Newsletter

OAuth doesn’t share credentials rather employs the authorization token to confirm identity and acts as an middleman to approve just one software interacting with yet another.

Incidents of stolen or found OAuth tokens commandeered by adversaries are not uncommon.

Microsoft experienced an OAuth flaw in December 2021, the place apps (Portfolios, O365 Safe Score, and Microsoft Trust Company) were susceptible to authentication issues that enables attackers to takeover Azure accounts. In purchase to abuse, the attacker initial registers their destructive app in the OAuth provider framework with the redirection URL factors to the phishing web page. Then, the attacker would deliver the phishing email to their target with a URL for OAuth authorization.

Examination of The Attacker’s Behavior 

GitHub analysis the incident contain that the attackers authenticated to the GitHub API working with the stolen OAuth tokens issued to accounts Heroku and Travis CI. It included, most most of individuals affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were being selective and attackers outlined the private repositories of interest. Future, attackers proceeded to clone personal repositories.

“This pattern of conduct implies the attacker was only listing businesses in buy to recognize accounts to selectively goal for listing and downloading non-public repositories,” Hanley stated. “GitHub believes these attacks ended up highly targeted,” he included.

GitHub explained it is in the course of action of sending the final notification to its buyer who had possibly Travis CI or Heroku OAuth applications integrated into their GitHub accounts.

Preliminary Detection of The Destructive Activity

GitHub began the investigation into the stolen tokens on April 12, when the GitHub Security very first identified unauthorized obtain to the NPM (Node Package deal Management) output infrastructure utilizing a compromised AWS API key. These API keys have been acquired by attackers when they downloaded a established of personal NPM repositories using stolen OAuth token.

The NPM is a software utilized to obtain or publish node deals through the npm offer registry.

The OAuth token access is revoked by Travis CI, Heroku, and GitHub just after exploring the attack, and the impacted organizations are advised to check the audit logs and user account security logs for malicious exercise.

 

Claimed By: Sagar Tiwari, an impartial security researcher and complex author.


Some elements of this report are sourced from:
threatpost.com

Previous Post: «report: 80% of data breaches caused by lack of cyber Report: 80% of data breaches caused by lack of cyber security skills
Next Post: Crypto Trading Fund Partners Accused of Fraud Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.