GitHub has warned of a phishing campaign targeting GitHub users of multiple organizations by impersonating CircleCI to harvest user credentials and two-factor codes.
According to GitHub, threat actors are targeting GitHub users including organizations via phishing, which follows a message that a user’s CircleCI session expired and that they should log in using GitHub credentials.
When users click on the link [to login] it takes the user to a phishing site that looks like the GitHub login page but steals the credentials entered by the users. The phishing was well designed as threat actors have also made an option for TOTP-based 2FA-enabled users. The phishing site relays any TOTP codes to the threat actor and GitHub in real-time, allowing the threat actor to break into accounts protected by TOTP-based 2FA.
Tactics of Threat Actor
- By successfully stealing GitHub user account credentials, threat actor may quickly create GitHub personal access tokens (PATs), authorize OAuth applications, or add SSH keys to the account in order to preserve access in the event that the user changes their password.
- In many cases, the threat actor immediately downloads private repository contents accessible to the compromised user, including those owned by organization accounts and other collaborators.
- The threat actor uses VPN or proxy providers to download private repository data via compromised user accounts.
- If a compromised account has organization management permissions, the threat actor may create new GitHub user accounts and add them to an organization in an effort to establish persistence.
What GitHub Did?
After analyzing the phishing campaign, GitHub notified all of the known-affected users and organizations. For security purposes, GitHub reset passwords and removed threat actor-added credentials for all impacted users. Furthermore, GitHub has also suspended all identified threat actor accounts.
GitHub mentioned that they will continue to monitor for malicious activity and notify new victim users and organizations as needed. If you did not receive an email notification from us, then we do not have evidence that your account and/or organization was accessed by the threat actor at this time.- they added.
What User need to do?
If you are a GitHub user and you believe you have fallen into phishing then you can follow the below task.
- Reset your password
- Reset your two-factor recovery codes (2FA)
- Review your personal access tokens for unexpected or unused tokens
- Take additional steps to review and secure your account.