On April 12th, GitHub publicly announced they’d uncovered evidence of an attacker abusing stolen OAuth user tokens – which were issued to two third-party OAuth integrators, Heroku and Travis-CI – to download data from dozens of their customers. Third-party applications are not always as innocent as they might seem. The applications maintained by these two platform service providers were used by GitHub users, which makes this breach a new addition to the growing list of recent attacks that utilized unauthorized access to target suppliers' systems.
GitHub’s analysis of the threat actor's behaviors suggests that they mined the downloaded private repository (GitHub’s own npm) contents. These “behaviors” were mainly read operations, which made them extremely difficult to track as the threat actor did not mutate anything. The attacker scanned the code within these private repos to which the stolen OAuth token had access, seeking out secrets that could be used to pivot into other infrastructure – a classic supply chain example. GitHub is now performing damage control and urging its customers to scan their private repos for any credentials stored within, among other standard security recommendations.
As stated in their announcement:
“We are sharing this today as we believe the attacks may be ongoing and action is required for customers to protect themselves.” - GitHub
GitHub hasn't disclosed how they became aware of the attack, when it actually unfolded, or how the attackers became successful in gaining access to the OAuth applications in the first place. Monitoring all aspects of your supply chain is no easy feat. But there are steps organizations can take to prevent unauthorized access to business-critical resources and mitigate the risk of supply chain attacks.
Here are a few countermeasures to consider:
Today, DoControl provides a complete inventory of identities and events for end-to-end visibility of every interaction and connection – for all flesh-and-blood SaaS users. From there, we enable the creation of very granular data access control policies to remediate the risk of data exfiltration and overexposure. It is a natural evolution to expand our reach into non-human identities, as well as to cover third-party applications of the integrated SaaS apps. This will allow the potential risk those apps might expose (i.e. invalid tokens, extensive or unused permissions, listed versus unlisted apps, etc.) to be identified and blocked. As a first phase we've launched Microsoft third-party apps view (see the image below which was a part of the recent DoControl hackathon), and for phase two we are going to expand additional applications to include Slack, Google, and GitHub. Beyond providing the visibility you need, we further provide support for on-demand remediation (i.e. removal of apps/token), relevant events digestion --> workflows automation (i.e. notification, remediation and delegation to other controls).
The trend of supply-chain-based attacks continues to rise – and for good reason. These attacks are a type of cardinality of one-to-many; whereby you compromise one victim organization (the supplier) and gain an entry point into some or all of its customers (the consumers of the service provider). The GitHub attack proves the importance of protecting the supply chain, and ensuring the companies your organization is partnering with are as committed to that protection as you are. Preventing this kind of attack is a challenge, but doing nothing is folly. Learn more about how DoControl can help close SaaS application security gaps and strengthen security programs to mitigate the risk of supply chain attacks.