We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Last week, GitHub Security researchers reported that an unknown attacker is using stolen OAuth user tokens issued to Heroku and Travis-CI to download data from dozens of organization’s private repositories, including GitHub npm’s production infrastructure on April 12.
While it’s unclear exactly how many enterprises have been affected by this campaign so far, what is clear, according to Prakash Linga, cofounder and CEO of software supply chain protection provider BluBracket, is that attackers “did find and leverage an active AWS key in npm’s private repo.”
As a result, “exposure here is not limited to GitHub and may extend to every app integrated with Heroku/Travis. Looks like the attack may be limited to companies leveraging Heroku/Travis cloud products,” Linga explained.
This suggests that organizations using tools like Heroku and Travis that generate OAuth user tokens should evaluate the security risks raised by those tools.
The risks of OAuth token theft
OAuth tokens are one of the go-to elements that IT vendors use to automate cloud services like code repositories and devops pipelines. While these tokens are useful for enabling key IT services, they’re also vulnerable to theft.
As Ray Kelly, fellow at NIT Application Security, explains: “If a token is compromised, in this case a GitHub token, a malicious actor can steal corporate IP or modify source to initiate a supply chain attack that could spread malware or steal PII from unsuspecting customers.”
While these tokens are generally protected with stars or hidden from most services, skilled attackers can still find ways to harvest them, such as exploiting browser-based attacks, open redirects, or malware-based attacks.
It is for this reason that GitHub recommends organizations periodically review which OAuth applications have been authorized to access critical data resources, and eliminate any that aren’t necessary, and auditing access where possible.
A new supply chain attack?
The GitHub OAuth campaign shares similarities with a number of existing supply chain attacks, such as the SolarWinds and Kaseya breaches, with the attackers targeting multiple downstream organizations as part of a coordinated campaign.
This breach comes shortly after the NCC Group reported that supply chain attacks increased 51% in the last half of 2021.
The same research found that most organizations were ill-prepared to confront the realities of these attacks, with just 34% of security decision-makers saying they would classify their organization as ‘very resilient’.
At the heart of the challenge of securing against supply chain attacks such as the OAuth breach, is that modern cloud/hybrid networks are incredibly complex and increase the attack surface to a level that’s difficult to protect.
“The cloud has brought us a huge range of security improvements, but the convenience has a hidden downside. The ease of use also means it’s easier [to] make a security oversight, like failing to audit, monitor, or expire OAuth keys,” said Casey Ellis, founder and CTO at Bugcrowd.
“When OAuth keys like the ones used in this attack can’t be stolen from a database or poorly-permissioned repository, they are often gleaned from the client-side using malware or browser-based attacks, then collected and aggregated by Initial Access Brokers, and on-sold to those who need to use them for a specific attack,” he said.