GitHub: Attacker breached dozens of orgs using stolen OAuth tokens

silversurfer

Level 84
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,544
GitHub revealed today that an attacker is using stolen OAuth user tokens (issued to Heroku and Travis-CI) to download data from private repositories.

Since this campaign was first spotted on April 12, 2022, the threat actor has already accessed and stolen data from dozens of victim organizations using Heroku and Travis-CI-maintained OAuth apps, including npm.

"The applications maintained by these integrators were used by GitHub users, including GitHub itself," revealed today Mike Hanley, Chief Security Officer (CSO) at GitHub.

"We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats.

"Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure."

According to Hanley the list of impacted OAuth applications includes:
  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)
 

silversurfer

Level 84
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,544
GitHub says it notified all organizations believed to have had data stolen from their private repositories by attackers abusing compromised OAuth user tokens issued to Heroku and Travis-CI.

"As of 9:30 PM UTC on April 18, 2022, we’ve notified victims of this campaign whom we have identified as having repository contents downloaded by an unauthorized party through abuse of third-party OAuth user tokens maintained by Heroku and Travis CI," the company revealed in an update to the original statement.

"We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats which could be abused by an attacker," GitHub said.

While GitHub, Travis CI, and Heroku revoked all OAuth tokens to block further access, impacted organizations are advised to keep monitoring and reviewing their audit logs and user account security logs for potentially malicious activity.

"Should we identify additional customers who have been affected, we will notify those customers promptly. If you do not receive a notification email from us, that means GitHub has not identified your account as impacted by the current incident," GitHub added on Monday.