GitHub Rebuffs Breach With Swift Action, Rotating Credentials
The holidays were anything but happy over at Slack, which saw threat actors access its externally hosted GitHub repositories.
The miscreants apparently used a “limited” number of stolen Slack employee tokens. And while they breached some of the platform’s private code repositories, the primary codebase—as well as customer data—weren’t affected.
“On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” according to a Slack alert. “Our investigation also revealed that the threat actor downloaded private code repositories on December 27, [2022]. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase.”
That’s not surprising. “As DevOps has moved to the cloud, it has become much easier to steal code repositories,” said John Bambenek, principal threat hunter at Netenrich.
“The worst possibility is stealing authentication secrets and tokens that allow access to other resources, which also are usually in the cloud,” he said. “With the disappearing perimeter, all we’ve gotten is the loss of the company’s ability to protect their information.”
Bleeping Computer, which discovered the update, noted it is not included on the platform’s international news blog and is in some regions marked with ‘noindex‘—an HTML feature that is used to exclude a webpage from search engine results, thereby making it harder to discover the page.”
“It looks like this breach won’t directly affect Slack’s massive user base, but it does have some potential implications for the developers. Slack is going to have to audit their own code to make sure there aren’t any vulnerabilities in the stolen code an attacker could leverage and figure out how the threat actors got access to their developer’s tokens in the first place,” said Mike Parkin, senior technical engineer at Vulcan Cyber.
“As for the transparency issue, that’s a separate issue. While there are legal and ethical reasons to be transparent about incidents that affect the customer base, when it’s strictly internal, as this appears to be, it can be different,” said Parkin. “There can be very legitimate reasons to not make a big deal about an incident and keep the information somewhat contained.”
Security researchers and analysis, he pointed out, “may be asking ‘What did the attackers get, and what can they do with it?’ but for the world as a whole, it’s just a footnote unless it leads to a breach. And even then, the breach and how to mitigate it will be the important part to know about, while how it happened remains an interesting footnote.”
By acting swiftly, Slack blunted the impact of the incident. “It appears Slack corralled this one quickly by ‘immediately invalidating the stolen tokens,’” said Timothy Morris, chief security advisor at Tanium.
“They also took extra precaution by rotating ‘all relevant credentials,’” he noted. “Slack stated that there was no access to infrastructure or customer data; only that the private code repositories were downloaded from their externally hosted GitHub repository.”
Noting that “typically, code repositories contain documentation, notes, changes and code itself,” Morris pointed out that “only Slack, and now the perpetrators, know what the beneficial data is and whether or not it could be used for future attacks or monetized.”
One positive note, he added, is “the time elapsed between detection and disclosure was fast at four days (December 27, 2022 to December 31, 2022). A credit to Slack for expedient disclosure.”
Image Source: slack–rubaitul-azad–unsplash