Threat actors are impersonating GitHub’s security and recruitment teams in phishing attacks to hijack repositories using malicious OAuth apps in an ongoing extortion campaign wiping compromised repos.
This came to light when a research team at Checkmarx discovered that cyberattackers had used a technique to fabricate commit messages to trick developers into thinking it was contributed by the real Dependabot, in order to carry out malicious activity.
At the heart of the attack is phishing and this is one of the most common entry attacks. This carries implications for the business community. According to Jason Kent’s, Hacker In Residence at Cequence Security
Kent poses the following dilemma: “When a person or organization utilizes a 3rd party to store their code repositories they need to have a disruption plan in place. If there was nothing nefarious going on, the 3rd party could have a disruption. Or, like when the DYNDNS DDOS happened, they might just go offline. But what if something nefarious happens?”
Expanding on this scenario, Kent continues: “Many organizations require a Software Escrow in the event that a system they have purchased is suddenly no longer supported and keeping the systems alive is a priority. However, most organizations that use GitHub consider their software safe because GitHub keeps them safe.”
Moreover, Kent offers: “It is entirely possible that a disgruntled employee could destroy the code repo, or even a simple mistake might take large portions of it out of the system. This could cause a huge problem. That’s why these phishing attempts, and their successes, are a major issue for the victims.”
Returning to the issue at hand, Kent indicates: “GitHub is supposed to be a way for people to easily store, share and collaborate on software code. Some of the features are things like communication channels in the repo to make comments.”
As to the consequences, Kent finds: “Utilizing this an attacker can comment that they are from GitHub and are trying to help. “Install this new security authentication service” or “utilize these new systems for better productivity” are messages that feel like they are making things better. However, victims that install those new services are finding their repo empty except for an extortion letter.”
In terms of the best responses, Kent suggests: “What should you do if you are a GitHub user? Make sure you know the application you are hooking into your repo is legit. How do you know that? Assume all contact is phishing and verify the source.”
Kent further recommends: “Also, before you do any of this, ask on GitHubs forums if this OAUTH service is legitimate and has been used successfully. Have a backup strategy that doesn’t include GitHub. Be able to recover if the entire service goes down and you will be ready in the event someone deletes your repo.”