GitHub is disclosed that unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories. Details of this can be found over at Bleeping Computer:
So far, GitHub has found no evidence that the password-protected certificates (one Apple Developer ID certificate and two Digicert code signing certificates used for Windows apps) were used for malicious purposes.
“On December 6, 2022, repositories from our atom, desktop, and other deprecated Github-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account,” GitHub said.
“Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.”
The company added that there is no risk to GitHub.com services due to this security breach and that no unauthorized changes were made to the affected projects.
However, the compromised certificates will be revoked to invalidate the GitHub Desktop for Mac and Atom versions signed using them.
Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi explains the impact of this:
GitHub is hugely valuable for developers: over 100 million developers use the platform, and the Fortune 500 and every major software developer from Microsoft to Google rely on it. It’s no surprise that it’s become a focus point for attackers too. Unknown threat actors have stolen code-signing machine identities after gaining access to some of its development and release planning repositories. This enables attackers to masquerade their software as coming from GitHub.
In the wrong hands, these machine identities could be used to pose as trusted, enabling an attacker to sign and send malicious content that will be authenticated by other machines as coming from GitHub. This is a powerful weapon that can enable supply chain attacks on other software developers and unknown possible subsequent (or past) attacks.
This is one more example of how engineering teams moving fast can create new opportunity for attack. Machine identity management is no longer optional. Code signing machine identities can’t be left unguarded with constant observability and control. The ability to rapidly find and reissue machine identities is impossible to do manually. To protect against events such as these, which are becoming increasingly common, security engineering teams must deploy a control plane for automating machine identity management. By doing so they continuously protect machine identities from theft and avoid manual rotation, replacement, and revocation that slows down engineering teams and leads to shortcuts that create breaches.
GitHub has this advice for affected users:
“On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor,” GitHub added.
“We highly recommend updating Desktop and/or downgrading Atom before February 2 to avoid disruptions in your workflows.”
I would be taking that advice and acting upon it as soon as possible.
Github Is Under Attack
Posted in Commentary with tags Apiiro, GitHub on March 1, 2024 by itnerdBad news for developers. Github is being besieged by millions of malicious repositories in an ongoing attack:
Similar to dependency confusion attacks, malicious actors get their target to download their malicious version instead of the real one. But dependency confusion attacks take advantage of how package managers work, while repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.
In this case, in order to maximize the chances of infection, the malicious actor is flooding GitHub with malicious repos, following these steps:
And:
Once unsuspecting developers use any of the malicious repos, the hidden payload unpacks seven layers of obfuscation, which also involves pulling malicious Python code and later a binary executable. The malicious code (largely a modified version of BlackCap-Grabber) would then collect login credentials from different apps, browser passwords and cookies, and other confidential data. It then sends it back to the malicious actors’ C&C (command-and-control) server and performs a long series of additional malicious activities.
Ken Westin, Field CISO, Panther Labs had this to say:
We at Panther have seen an increase in software supply chain attacks, where developers, code and cloud infrastructure are increasingly becoming a target. We have seen this with APT groups such as Lazarus out of North Korea, as well as financially motivated cybercrime groups. The goal of the attacks are often to infect code upstream to then target customers downstream, or in this case to steal credentials and authentication cookies with the hopes of gaining privileged access applications, code and secrets. Many organizations do not consider monitoring data sources such as Github in their SIEM and often do not have visibility into potential security compromises of code or developers’ workstations and infrastructure.
The report from Apiiro has a lot of detail in terms of the attack and indicators of compromise, along with steps in terms of protection. Developers should read this and act accordingly .
Leave a comment »