GitHub is disclosed that unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories. Details of this can be found over at Bleeping Computer:
So far, GitHub has found no evidence that the password-protected certificates (one Apple Developer ID certificate and two Digicert code signing certificates used for Windows apps) were used for malicious purposes.
“On December 6, 2022, repositories from our atom, desktop, and other deprecated Github-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account,” GitHub said.
“Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.”
The company added that there is no risk to GitHub.com services due to this security breach and that no unauthorized changes were made to the affected projects.
However, the compromised certificates will be revoked to invalidate the GitHub Desktop for Mac and Atom versions signed using them.
Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi explains the impact of this:
GitHub is hugely valuable for developers: over 100 million developers use the platform, and the Fortune 500 and every major software developer from Microsoft to Google rely on it. It’s no surprise that it’s become a focus point for attackers too. Unknown threat actors have stolen code-signing machine identities after gaining access to some of its development and release planning repositories. This enables attackers to masquerade their software as coming from GitHub.
In the wrong hands, these machine identities could be used to pose as trusted, enabling an attacker to sign and send malicious content that will be authenticated by other machines as coming from GitHub. This is a powerful weapon that can enable supply chain attacks on other software developers and unknown possible subsequent (or past) attacks.
This is one more example of how engineering teams moving fast can create new opportunity for attack. Machine identity management is no longer optional. Code signing machine identities can’t be left unguarded with constant observability and control. The ability to rapidly find and reissue machine identities is impossible to do manually. To protect against events such as these, which are becoming increasingly common, security engineering teams must deploy a control plane for automating machine identity management. By doing so they continuously protect machine identities from theft and avoid manual rotation, replacement, and revocation that slows down engineering teams and leads to shortcuts that create breaches.
GitHub has this advice for affected users:
“On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor,” GitHub added.
“We highly recommend updating Desktop and/or downgrading Atom before February 2 to avoid disruptions in your workflows.”
I would be taking that advice and acting upon it as soon as possible.
Like this:
Like Loading...
Related
This entry was posted on January 31, 2023 at 11:47 am and is filed under Commentary with tags GitHub, Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
GitHub Revoking Code Signing Certificates That Were Stolen By An Unknown Threat Actor
GitHub is disclosed that unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories. Details of this can be found over at Bleeping Computer:
So far, GitHub has found no evidence that the password-protected certificates (one Apple Developer ID certificate and two Digicert code signing certificates used for Windows apps) were used for malicious purposes.
“On December 6, 2022, repositories from our atom, desktop, and other deprecated Github-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account,” GitHub said.
“Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.”
The company added that there is no risk to GitHub.com services due to this security breach and that no unauthorized changes were made to the affected projects.
However, the compromised certificates will be revoked to invalidate the GitHub Desktop for Mac and Atom versions signed using them.
Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi explains the impact of this:
GitHub is hugely valuable for developers: over 100 million developers use the platform, and the Fortune 500 and every major software developer from Microsoft to Google rely on it. It’s no surprise that it’s become a focus point for attackers too. Unknown threat actors have stolen code-signing machine identities after gaining access to some of its development and release planning repositories. This enables attackers to masquerade their software as coming from GitHub.
In the wrong hands, these machine identities could be used to pose as trusted, enabling an attacker to sign and send malicious content that will be authenticated by other machines as coming from GitHub. This is a powerful weapon that can enable supply chain attacks on other software developers and unknown possible subsequent (or past) attacks.
This is one more example of how engineering teams moving fast can create new opportunity for attack. Machine identity management is no longer optional. Code signing machine identities can’t be left unguarded with constant observability and control. The ability to rapidly find and reissue machine identities is impossible to do manually. To protect against events such as these, which are becoming increasingly common, security engineering teams must deploy a control plane for automating machine identity management. By doing so they continuously protect machine identities from theft and avoid manual rotation, replacement, and revocation that slows down engineering teams and leads to shortcuts that create breaches.
GitHub has this advice for affected users:
“On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor,” GitHub added.
“We highly recommend updating Desktop and/or downgrading Atom before February 2 to avoid disruptions in your workflows.”
I would be taking that advice and acting upon it as soon as possible.
Share this:
Like this:
Related
This entry was posted on January 31, 2023 at 11:47 am and is filed under Commentary with tags GitHub, Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.