A phishing campaign on GitHub with fake security alerts has attempted to trick about 12,000 developers into installing a malicious OAuth app. This app then allows hackers to gain full access and control over the code of the affected accounts.
Hackers attacked about 12,000 GitHub users with a phishing campaign by sending them fake security alerts. This was discovered by security researcher security researcher Luc4m. In the fake alert sent (standard GitHub security alert), developers are warned about unusual activity from Reykjavik, Iceland, and the specific IP address 53.253.117.8.
Attack path
Victims are urged to take certain steps to secure their accounts, such as updating their passwords, managing their activities and setting up two-factor authentication.
However, the attached links lead to installing a rogue “gitsecurityapp” OAuth app, which requires extensive permissions. Eventually, the attackers can gain full control over the affected account and access code repositories.
The permissions requested by the fake app include:
- repo – full access to public and private repositories
- user – read and write permissions
- read:org – access to organizational data, projects and teams
- read:discussion – read and write permissions to participate in discussions
- gist – access to GitHub Gists
- delete_repo – delete repositories
- workflows, workflow, write:workflow, read:workflow, update:workflow – control over GitHub Actions workflows
When a victim logs in and authorizes the rogue OAuth app, a token is created and sent back to the app’s callback address, which is various Web pages at onrender.com.
The phishing campaign began on Sunday, March 16, and is still active. BleepingComputer writes that the number of victims affected is fluctuating, possibly due to GitHub’s countermeasures to combat the attack. GitHub itself has not yet responded.
Taking action
If developers were caught in the phishing email and installed the malicious app, they can take some action to minimize the damage.
If they have granted authorization, they should immediately revoke any access to unknown or suspicious GitHub Apps or OAuth apps, especially apps that have the previously mentioned indication “gitsecurityapp.”
In addition, look for new or unexpected GitHub Actions (workflows) and whether private gists have been created. Last, but not least, potentially affected users should route their login credentials and authorization tokens.
Also read: Microsoft: malvertising campaign affected 1 million PCs