Recent investigations have revealed that dormant GitHub accounts are being strategically utilized in coordinated efforts to gather information on corporate structures, repositories, and developers. This activity highlights a sophisticated approach to cyber reconnaissance, leveraging GitHub’s API to gather publicly available data, with occasional unauthorized access to private repositories.
Details of the GitHub Account Exploitation
The campaigns, which have been active since at least October, are carried out by multiple threat actors operating in an overlapping manner. These actors utilize automated tools and compromised access tokens, relying on a network of long-inactive accounts to execute their plans. Many of these accounts were initially created two to five years ago but remained dormant until they started making API requests to various GitHub organizations.
This aging tactic helps perpetrators appear more legitimate compared to newly created accounts. The investigation noted recognizable naming conventions among these accounts, such as using prefixes like amazon-data-*, specific family patterns like *-orb, and recurring usernames such as BirdWithDreams and user432023.
Operational Tactics and Tools
Datadog’s findings reveal that numerous accounts were involved in reconnaissance activities, often active for only a few weeks before ceasing operations. The attackers primarily targeted GitHub’s /graphql endpoint for bulk requests related to organizational, user, and repository data.
Additionally, they utilized REST API routes to access information about public repositories, memberships, followers, gists, starred projects, and user activity. Although much of this data is public, the successful HTTP responses might seem like legitimate API usage.
Suspicious user-agent strings noted in these campaigns include GitHub-Company-Scraper and GitHub-Analytics/1.5. These tools often masqueraded as legitimate by using names associated with analytics and repository monitoring. However, some campaigns stood out with simpler identifiers, such as the request user agent.
Implications and Security Measures
Between December and January, compromised credentials of several GitHub users were used to access organizational data swiftly. Attackers employed various user agents to conduct operations such as listing repositories and retrieving commit data.
Although many attempts to access private repositories failed, there was a documented case where a tool, repo-dumper, successfully cloned a private repository and executed API actions. This incident underscores the importance of monitoring public GitHub metadata as a precursor to potential credential abuse or source code theft.
Security experts recommend enabling GitHub audit log streaming and establishing a baseline for normal API activities. Vigilance should be exercised particularly with successful API requests involving private repositories, especially when OAuth or personal access tokens are concerned.
Key indicators of malicious activity include unusual user agents, unexpected account behaviors, suspicious token usages, and high request volumes from sources linked to infrastructure providers like 3xktech.cloud and cherryservers.com.
