Hackers are using stolen OAuth access tokens to breach dozens of internal organization systems

We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Register today!


Last week, researchers at GitHub Security reported that an unknown attacker is using stolen OAuth user tokens issued to Heroku and Travis-CI to download data from dozens of the organization’s private repositories, including the GitHub npm production framework on April 12.

While it’s unclear exactly how many companies have been impacted by this campaign so far, which is clear, according to Prakash Linga, co-founder and CEO of supply chain protection software provider BluBracket, is that the attackers “found and exploited an active AWS key in npm’s”. private repository.

As a result, “the exposure here is not limited to GitHub and may extend to all applications integrated with Heroku/Travis. It appears that the attack may be limited to companies using Heroku/Travis cloud products,” said explained Linga.

This suggests that organizations using tools like Heroku and Travis that generate OAuth user tokens should assess the security risks raised by these tools.

Risks of OAuth token theft

OAuth tokens are one of the go-to items IT vendors use to automate cloud services like code repositories and devops pipelines. While these tokens are useful for enabling key computing services, they are also vulnerable to theft.

As NIT Application Security fellow Ray Kelly explains, “If a token is compromised, in this case a GitHub token, a malicious actor can steal the company’s IP address or modify the source to launch a supply chain that could spread malware or steal PII from unsuspecting customers.”

Although these tokens are usually star-protected or hidden from most services, skilled attackers can still find ways to harvest them, such as exploiting browser-based attacks, open redirectsor malware-based attacks.

It’s for this reason that GitHub recommends that organizations periodically check which OAuth applications have been granted access to critical data resources, weed out unnecessary ones, and audit access if possible.

A new supply chain attack?

The GitHub OAuth campaign shares similarities with a number of existing supply chain attacks, such as the SolarWinds and Kaseya breaches, with attackers targeting multiple downstream organizations in a coordinated campaign.

This breach comes shortly after NCC Group reported that supply chain attacks increased by 51% in the last half of 2021.

The same study found that most organizations were ill-prepared to deal with the realities of these attacks, with only 34% of security decision makers saying they would classify their organization as “very resilient”.

At the heart of the challenge of protecting against supply chain attacks such as the OAuth breach is the fact that modern cloud/hybrid networks are incredibly complex and increase the attack surface to a level that is difficult to protect.

“The cloud has given us a huge range of security improvements, but convenience has a hidden downside. Ease of use also means it’s easier [to] do security oversight, like not auditing, monitoring, or expiring OAuth keys,” said Casey Ellis, Founder and CTO of Bugcrowd.

“When OAuth keys like the ones used in this attack can’t be stolen from a misauthorized database or repository, they’re often gleaned from the client side using malware or browser-based attacks and then collected and aggregated by Initial Access Brokers, and resold to those who need to use them for a specific attack,” he said.

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more about membership.

Aubrey L. Morgan