Datadog Safety Labs is warning of “a number of overlapping campaigns” which can be systematically enumerating company GitHub organizations, repositories, and consumer accounts by means of the GitHub API.
“Operators depend on automated scraping tooling with customized or legitimate-sounding consumer brokers, leveraging GitHub ‘ghost’ accounts which can be typically years outdated, or compromised OAuth tokens and private entry tokens (PATs) from respectable customers,” Julie Agnes Sparks, senior safety engineer at Datadog, mentioned.
Whereas the exercise usually includes focusing on public knowledge, choose cases have gone past public info enumeration to efficiently clone personal repositories.
The marketing campaign employs a mixture of automated scanner instruments, over 50 dormant accounts, and dozens of respectable accounts which have had their private entry tokens (PATs) uncovered unintentionally or compromised by means of another methodology to facilitate the enumeration.
What’s notable in regards to the “ghost” accounts is that they had been created two to 5 years in the past and deliberately left inactive for prolonged durations of time earlier than weaponizing them to concern API visitors throughout a number of organizations. This system is strategic because it goals to keep away from elevating any pink flags and go off the exercise as respectable, versus creating new accounts and instantly utilizing them for scraping.
As a result of a big chunk of GitHub’s API floor is reachable with out authentication, the enumeration queries return the required knowledge, whereas mixing into regular API utilization. A few of them embrace –
- Itemizing a company’s public repositories
- Strolling a consumer’s followers and following lists
- Enumerating gists, starred repos, and org memberships, and
- Working GraphQL queries towards public objects
This info can be utilized by a risk actor to conduct reconnaissance and programmatically map out a company’s GitHub-related exercise, resembling its public repositories, its members, who these members comply with, and which initiatives they modify.
Information entry has been confirmed in a couple of eventualities, with the attackers taking steps to clone a personal repository belonging to a single group.
“Individually, most of those requests are unremarkable. They hit public endpoints, authenticate cleanly or by no means, and return profitable responses,” Datadog mentioned. “The priority lies within the combination: a bunch of accounts transferring in sync throughout corporations’ GitHub organizations with versioned customized tooling iterating over weeks, and within the worst case, actors that stopped enumerating and began cloning.”









