GitHub, the popular platform for developers and code hosting, is facing an ongoing extortion campaign where threat actors impersonate its security and recruitment teams to hijack repositories. This sophisticated phishing attack, which has been active since at least February, exploits GitHub's notification and mention functionalities to lure developers into authorizing malicious OAuth apps.
The Anatomy of the Attack
The attack begins with developers receiving phishing emails from "notifications@github.com," a deceptive address that appears legitimate. These emails, which offer fake job opportunities or security alerts, direct recipients to websites like githubcareers[.]online or githubtalentcommunity[.]online, as first identified by CronUp security researcher Germán Fernández. Once on these landing pages, users are prompted to sign into their GitHub accounts and authorize a new OAuth app. This app requests extensive permissions, including access to private repositories, personal user data, and the ability to delete adminable repositories.
The Aftermath
Many victims report their accounts being disabled and losing access to all repositories, often after other users flag their accounts for spam activity. According to BleepingComputer, once the attackers gain control, they wipe the repository contents, rename the repository, and leave a README.me file instructing victims to contact them on Telegram to recover their data. The attackers claim to have backed up the data before destroying it, adding an extra layer of extortion.
GitHub users targeted in this campaign have experienced significant disruptions, with the phishing emails cleverly exploiting trust in GitHub's notification system. Despite the sophistication of the attack, GitHub has reassured users that their systems have not been compromised. "We understand the inconvenience caused by these notifications. Our teams are currently working on addressing these unsolicited phishing notifications," said a GitHub community manager. Users are urged to report any abusive or suspicious activity using GitHub's abuse reporting tools.
Expert Insights
Max Gannon, Cyber Intelligence Team Manager at Cofense, commented on the unusual nature of the attack: “Threat actors spoofing legitimate companies in order to gain access to content is nothing new, however, it is unusual for threat actors to go to such lengths in order to obtain access. What is even more unusual is that after the threat actors obtain access, they appear to only use the accounts for extortion rather than performing more advanced actions like uploading malware to the repos to infect more people."
Gannon further noted the potential for threat actors to search for additional hard-coded credentials or vulnerabilities within the compromised data. However, the primary focus on extortion suggests a lower skill level. This attack highlights the persistent risk of supply chain attacks, emphasizing the need for companies to monitor the sources of their code and ensure those sources are secure.
Mitigation Strategies
In response to the campaign, GitHub staff have provided several recommendations to help users protect their accounts:
Avoid Clicking Suspicious Links: Do not click on any links or reply to suspicious notifications.
Report Suspicious Activity: Use GitHub's abuse reporting tools to report any abusive or suspicious activity.
Review OAuth App Authorizations: Periodically review authorized OAuth apps and avoid authorizing unknown apps.
Stay Vigilant: Remain cautious about unexpected communications, even if they appear to come from trusted sources.
This campaign is a stark reminder of the evolving tactics used by cybercriminals and the importance of robust security practices. As developers continue to navigate the complexities of digital threats, ongoing education and proactive measures are essential to safeguard against such sophisticated attacks.