Breach Debrief Series: Bait and Switch at GitHub

Yonatan Nachman, Product Manager

GitHub is in the news again, with malicious repositories stealing login credentials and cryptocurrency from developers’ devices. According to researchers at antivirus firm G-Data, these repositories, which are near clones of legitimate repositories, all lead to one of at least 13 GitHub repositories that install the RisePro malware. 

Users have to go through several steps before they download the malware. They begin by downloading a README.md file, which contains a password for cracked software. From there, they can access the installer. The MSI installer unpacks a new executable file. Once the loader is executed, the malicious payload is injected into the victim’s device. RisePro gathers sensitive data and exfiltrates it to a Telegram channel. 

Hardening the GitHub Environment to Prevent Attacks

While there are a number of settings one should check to make sure their GitHub is secure, protection from this type of attack begins with encouraging users to verify the authenticity of repositories before interacting with them. In this case, many of the repositories often mimic the naming of genuine repositories to confuse users. 

GitHub has several configurations that organizations should secure to minimize the risk of accidental exposure. For example, enabling secret scanning and push protection for public and private repositories safeguards code against unauthorized access and code modifications. 

Personal access tokens (PAT) should also be closely monitored. Configure the application to send alerts when unused PATs need to be revoked to prevent misuse, or let the security team know when an excessive amount of PATs are created.

Branch protection also plays a key role in GitHub security. To ensure that no malicious code is inserted into the main branch, all commits should be signed with a GPG or S/MIME signature. Furthermore, all code should pass a review that meets the company’s standards before it is merged. 

Finally, security teams should review audit logs to find unauthorized changes. GitHub logs include information about additions to the codebase, which can be used for early detection of suspicious activities and identifying unauthorized access. 

Maintaining a Secure SaaS Stack 

As the cyber threat landscape evolves, it becomes increasingly crucial for organizations to strengthen their defenses against sophisticated attacks, such as the one analyzed in this blog post. The recent malicious campaign targeting GitHub environments highlights the urgent need for robust security measures.

Deploying a SaaS Security Posture Management (SSPM) solution is essential for enhancing the security of GitHub environments. This involves prioritizing measures to counter coming from repositories. Furthermore, the importance of an Identity Threat Detection and Response (ITDR) solution cannot be emphasized enough, particularly for swiftly identifying and addressing incidents such as account compromises, unusual activities, and potential data leaks.

The insights shared in this blog post offer valuable guidance for organizations aiming to reinforce their security posture. They underscore the interdependence between SSPM solutions and ITDR capabilities in establishing a comprehensive SaaS security framework. By embracing these approaches, organizations can proactively shield their digital assets, ensuring resilience against evolving cyber threats while upholding the confidentiality, integrity, and availability of sensitive data.

About the writer

Yonatan Nachman, Product Manager

Yonatan is a Product Manager at the SaaS Security Research team at Adaptive Shield. He joined Adaptive Shield from the army where he was a Full-stack developer and a Product Manager. Oh, and he loves the thrill of a good roller coaster ride.