Datadog Security Labs is warning of “multiple overlapping campaigns” that are systematically encroaching on corporate GitHub organizations, repositories, and user accounts through the GitHub API.
“Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, often leveraging years-old GitHub ‘ghost’ accounts, or compromising OAuth tokens and personal access tokens (PATs) from legitimate users,” said Julie Agnes Sparks, senior security engineer at Datadog.
While in most cases the activity involves targeting public data, select examples have gone beyond public information counts to successfully clone private repositories.
The campaign employed a mix of automated scanner tools, over 50 inactive accounts, and dozens of legitimate accounts whose Personal Access Tokens (PATs) have been inadvertently exposed or compromised through some other method to facilitate enumeration.
What is notable about “ghost” accounts is that they were created two to five years ago and were intentionally left inactive for long periods of time before they were weaponized to release API traffic in many organizations. This technique is strategic as it aims to avoid raising any red flags and make the activity appear legitimate, rather than creating new accounts and immediately using them for scraping.
Because a large portion of GitHub’s API surface is accessible without authentication, count queries return the necessary data, while blending in general API usage. Some of them include –
- Listing an organization’s public repositories
- Tracking a user’s followers and following lists
- Calculating abstracts, starred repos, and organization subscriptions, and
- Running GraphQL queries against public objects
This information can be used by a threat actor to perform reconnaissance and programmatically map an organization’s GitHub-related activity, such as its public repositories, its members, who those members follow, and what projects they modify.
Data access has been confirmed in some scenarios in which attackers are taking steps to clone private repositories belonging to the same organization.
“Individually, most of these requests are unremarkable. They reach a public endpoint, authenticate cleanly or not at all, and return successful responses,” Datadog said. “The concern is overall: a bunch of accounts that have been syncing across companies’ GitHub organizations with versioned custom tooling over several weeks, and in the worst case, actors who stopped computing and started cloning.”