Datadog Security Labs has identified multiple campaigns systematically analyzing corporate GitHub organizations, repositories, and user accounts via the GitHub API. This activity is facilitated by dormant accounts and compromised access tokens, posing a significant security concern.
Strategic Use of Dormant Accounts
Operators of these campaigns utilize automated scraping tools, employing user agents that mimic legitimate behavior. According to Julie Agnes Sparks, a senior security engineer at Datadog, these actors exploit GitHub ‘ghost’ accounts and compromised OAuth tokens or personal access tokens (PATs) from legitimate accounts. In some instances, the activity has escalated from public information gathering to the cloning of private repositories.
The dormant accounts, often inactive for two to five years, are strategically reactivated to conduct API traffic without raising suspicions. This approach contrasts with newly created accounts, which might attract scrutiny if used immediately for data scraping.
Techniques and Tools Employed
The campaigns make extensive use of GitHub’s API, which does not require authentication for a significant portion of its surface. As a result, attackers can execute queries that list public repositories, trace user connections, and enumerate various public data points, all while blending into normal API operations. Such queries include listing an organization’s public repositories, walking a user’s follower and following lists, and running GraphQL queries against public objects.
This information is valuable for threat actors conducting reconnaissance, allowing them to map an organization’s GitHub activity, including public repositories, member connections, and project involvement.
Implications for Organizations
Instances of unauthorized data access have been confirmed, with attackers successfully cloning a private repository from one organization. Datadog highlights that while individual requests may appear benign, the coordinated activity of multiple accounts across different organizations is concerning. The systematic use of custom tools and synchronized account actions over weeks can evolve from mere enumeration to potential theft of sensitive data.
The findings underscore the need for organizations to be vigilant about potential vulnerabilities within GitHub and the broader digital ecosystem. Monitoring for unusual account activities and securing access tokens are critical steps in mitigating these threats.
As cyber threats continue to evolve, it becomes imperative for companies to strengthen their security measures and remain informed about potential risks associated with dormant and compromised accounts.
