Full Report
Datadog Security Labs identified multiple coordinated campaigns abusing the GitHub API to systematically enumerate organizations, repositories, users, and software development activity at scale. The activity primarily relied on legitimate GitHub functionality, including dorman...
Analysis Summary
# Incident Report: Coordinated GitHub API Enumeration and Access Token Abuse
## Executive Summary
Multiple coordinated campaigns were identified abusing the GitHub API to systematically harvest data from organizations, repositories, and users. The attackers leveraged exposed GitHub personal access tokens (PATs) and dormant GitHub Actions to automate large-scale reconnaissance and data exfiltration. The primary goal appeared to be the collection of software development intelligence and potentially sensitive code via legitimate API functionality.
## Incident Details
- **Discovery Date:** July 8, 2024 (Approximate public disclosure by Datadog/Wiz)
- **Incident Date:** Ongoing activity identified in mid-2024
- **Affected Organization:** Multiple GitHub Organizations (Global)
- **Sector:** Technology / Software Development
- **Geography:** Worldwide
## Timeline of Events
### Initial Access
- **Date/Time:** Variable; ongoing campaigns.
- **Vector:** Exposed Secrets and Credentials.
- **Details:** Attackers obtained legitimate credentials, primarily GitHub Personal Access Tokens (PATs) that had been accidentally leaked in public repositories or logs.
### Lateral Movement
- **Mechanism:** Token matching and API abuse.
- **Details:** Attackers used the initial exposed tokens to find other repositories or organizations the token holder had access to, effectively moving across different projects and environments within the GitHub ecosystem.
### Data Exfiltration/Impact
- **Details:** The campaigns systematically enumerated and cloned private repositories and metadata. By abusing the GitHub API, attackers were able to scrape software development activity, user profiles, and organization structures at scale.
### Detection & Response
- **How it was discovered:** Anomalous GitHub API traffic patterns detected by Datadog Security Labs.
- **Response actions taken:** Notification of affected parties; GitHub security teams were alerted to investigate the specific accounts and tokens being abused.
## Attack Methodology
- **Initial Access:** Valid accounts / Exposed GitHub PATs.
- **Persistence:** Utilization of dormant GitHub Actions and long-lived access tokens.
- **Privilege Escalation:** Not explicitly reported, though token abuse allowed access to the maximum scope of the compromised token.
- **Defense Evasion:** Use of legitimate API calls and GitHub infrastructure to blend in with normal developer activity.
- **Credential Access:** Scraping public repos for leaked secrets (Secret Scanning bypasses).
- **Discovery:** Automated GitHub API enumeration of organizations, users, and repositories.
- **Lateral Movement:** Using discovered tokens to access interconnected repositories.
- **Collection:** Automated cloning and metadata harvesting.
- **Exfiltration:** Exfiltrating code and metadata through API responses to attacker-controlled infrastructure.
- **Impact:** Significant data breach involving intellectual property and development telemetry.
## Impact Assessment
- **Financial:** Not disclosed; costs associated with incident response and potential IP loss.
- **Data Breach:** High volume of software artifacts, code, and organizational metadata.
- **Operational:** Low direct disruption, as the attack was clandestine and used legitimate functions.
- **Reputational:** Moderate; emphasizes the risk of credential sprawl for organizations using GitHub.
## Indicators of Compromise
- **Network indicators:** API calls originating from known proxy services or unusual IP ranges (Defanged example: `127[.]0[.]0[.]1` - *specific IPs not provided in summary source*).
- **Behavioral indicators:**
- High-frequency API calls to `/users/`, `/orgs/`, or `/repos/` endpoints.
- Repeated use of the same PAT across disparate, unrelated organizations.
- Execution of GitHub Actions in long-dormant repositories.
## Response Actions
- **Containment:** Revocation of identified compromised Personal Access Tokens.
- **Eradication:** Rotation of secrets across all potentially exposed repositories.
- **Recovery:** Auditing GitHub Audit Logs to determine the full extent of data accessed by the malicious actors.
## Lessons Learned
- **Key takeaways:** Legitimate features (APIs and GitHub Actions) can be powerful tools for attackers if credentials are not tightly managed.
- **What could have been done better:** Stricter enforcement of short-lived tokens (fine-grained PATs) and automated secret scanning could have mitigated the initial access vector.
## Recommendations
- **Transition to Fine-Grained Tokens:** Phase out classic PATs in favor of fine-grained PATs with limited scope and expiration dates.
- **Implement Secret Scanning:** Actively use GitHub Secret Scanning (with push protection) to prevent credentials from ever reaching a repository.
- **Audit GitHub Actions:** Regularly review and disable GitHub Actions in dormant repositories to prevent them from being repurposed for malicious automation.
- **Monitor Audit Logs:** Consistently monitor GitHub Audit Logs for anomalous patterns of API consumption.