How Hackers Used Stolen GitHub Tokens to Access Private Source Code

Coming off the recent string of Lapsus$ breaches which saw the private source code of many companies including Samsung and Nvidia published publicly, we are now again reminded how internal source code is becoming a growing target for attackers.

Currently, a supply chain attack is unfolding involving stolen OAuth tokens that are allowing attackers to access private repositories on GitHub. The tokens are from third-party GitHub applications belonging to Heroku and Travis CI. GitHub has reported that "dozens of organizations," have had their private source code downloaded by the unknown actor.

OAuth authentication chain for GitHub Apps
Compromised OAuth authentication chain for GitHub Apps

GitHub has denied that the OAuth tokens were part of a breach relating to GitHub meaning that it is likely that the tokens were stolen from Travis CI and Heroku, however, how they were stolen is currently unclear.

This is yet another attack in a continuing and alarming trend where adversaries are specifically targeting private source code. This is largely due to the fact private repositories are known to contain huge amounts of sensitive information like secrets.
Mackenzie Jackson - Developer Advocate at GitGuardian

GitHub has confirmed this in their statement saying “we have high confidence that compromised OAuth user tokens from Heroku and Travis CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."

GitHub also acknowledged that secrets inside the private repositories are likely the final target “the threat actor could be mining the data taken for secrets to pivot into other infrastructure.”
Mike Hanley, Chief Security Officer at GitHub

Why is private source code such a target?

What has become clear with the abundance of successful attacks targeting source code is that source code contains a lot of secrets (credentials) that attackers can use to move laterally into different systems.

These secrets are usually protected in highly secured systems, however, because they are so prominent in code repositories attackers are effectively taking the easy road. Why try to gain access to an encrypted and highly protected system when much of the same data is stored in plain text in a relatively unsecured environment, code repositories.
Mackenzie Jackson - Developer Advocate at GitGuardian

What was the response?

Heroku has currently revoked all OAuth keys to prevent attackers from using them on new private code repositories.

"To mitigate the impact from potentially compromised OAuth tokens, we will revoke over the next several hours all existing tokens from the Heroku GitHub integration," https://status.heroku.com/incidents/2413

However, this is causing issues for Heroku customers trying to deploy their applications.

Status notification from Heroku

What can I do?

Ensure OAuth App Access Restrictions are enabled

Organization owners can enable OAuth App access restrictions to prevent untrusted apps from accessing the organization's resources while allowing organization members to use OAuth Apps for their accounts. To do this navigate to the Third-Party Application Access Policy page on GitHub and Make sure that the policy is enabled, as in the screenshot below.

Warnings:


  • Enabling OAuth App access restrictions will revoke organization access for all previously authorized OAuth Apps and SSH keys. For more information, see "About OAuth App access restrictions."

  • Once you've set up OAuth App access restrictions, make sure to re-authorize any OAuth App that require access to the organization's private data on an ongoing basis. All organization members will need to create new SSH keys, and the organization will need to create new deploy keys as needed.

  • When OAuth App access restrictions are enabled, applications can use an OAuth token to access information about GitHub Marketplace transactions.

Review Personal OAuth Authorization Activity

You can see the history of an OAuth App to see if there is any suspicious activity. You can see this even if you are not the GitHub Org owner.

https://github.com/settings/security-log?q=action%3Aoauth_authorization.create+OR+action%3Aoauth_authorization.destroy

Make sure private repositories are free from secrets

Even if you take these actions, there is no guarantee that malicious actors won’t be able to view, download and exploit your private code from this breach or future breaches. It is therefore important we don’t have any sensitive information in our repositories so we must scan our repositories and monitor if we do have any secrets that attackers can use.

To scan for secrets, consider using GitGuardian Internal Monitoring.