GitHub code-signing certificates stolen

Another day, another access-token-based database breach. This time, the victim is Microsoft's GitHub business. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token associated with a machine account. Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. Simply put: someone used a pre-generated access code acquired from who-knows-where to leech the contents of various source code repositories that belonged to GitHub itself. We're guessing that GitHub keeps its own code on GitHub, but it wasn't the underlying GitHub network or storage infrastructure that was breached, just some of GitHub's own projects that were stored there. Think of this breach like a crook getting hold of your Outlook email archive password and downloading your last month's worth of messages. By the time you noticed, your own email would already be gone, but neither Outlook itself nor other users' accounts would have been directly affected. Note our careful use of the word "Directly" in the previous sentence, because the compromise of one account on a system may lead to knock-on effects against other users, or even against the system as a whole. Your corporate email account almost certainly contains correspondence to and from your colleagues, your IT department and other companies. In those emails you may have revealed confidential information about account names, system details, business plans, logon credentials, and more. Using attack intelligence from one part of a system to wriggle into other parts of the same or other systems is known in the jargon as lateral movement, where cybercriminals first establish what you might call a "Beachhead of compromise", and then try to extend their access from there. In the case of stolen source code databases, whether they're stored on GitHub or elsewhere, there's always the risk that a private repository might include access credentials to other systems, or let cybercriminals get at code signing certificates that are used when actually building the software for public release. This sort of data leakage can even be a problem for public repositories, including open-source source code projects that aren't secret, and are supposed to be downloadable by anybody. Open source data leakage can happen when developers inadvertently bundle up private files from their development network into the public code package that they ultimately upload for everyone to access. This sort of mistake can lead to the very public leak of private configuration files, private server access keys, personal access tokens and passwords, and even entire directory trees that were simply in the wrong place at the wrong time. The crooks got hold of code signing certificates for the GitHub Desktop and Atom products. This means, in theory, that they could publish rogue software with an official Github seal of approval on it. Note that you wouldn't already need to be an existing user of either of those specific products to be fooled - the criminals could give GitHub's imprimatur to almost any software they wanted. The stolen signing certificates were encrypted, and the crooks apparently didn't get the passwords. This means, in practice, that even though the crooks have the certificates, they won't be able to use them unless and until they crack those passwords. Only three of the certificates had not yet expired on the day they were stolen. You can't use an expired certificate to sign new code, even if you have the password to decrypt the certificate. One stolen certificate expired in the interim, on 2023-01-04. A second stolen certificate expires tomorrow, 2023-02-01. That's also a signing certificate for Windows software. This one is for signing Apple apps, so GitHub says it is "Working with Apple to monitor for any [] new apps signed." Note that the crooks would still need to crack the certificate password first. All affected certificates will be revoked on 2023-02-02. Revoked certificates are added to a special checklist that operating systems can use to block content vouched for by certificates that should no longer be trusted. According to GitHub, no unauthorised changes were made to any of the repositories that were leeched. It looks as though this was a "Read only" compromise, where the attackers were able to look, but not to touch. The good news is that if you aren't a GitHub Desktop or Atom user, there's nothing that you immediately need to do. If you have GitHub Desktop, you need to upgrade before tomorrow, to ensure that you have replaced any instances of the app that were signed with a certificate that is about to be flagged bad. If you are still using Atom, you will somewhat curiously need to downgrade to a slightly older version that wasn't signed with a now-stolen certificate. Given that Atom has already reached the end of its official life, and won't be getting any more security updates, you should probably replace it anyway. If you're a developer or a software manager yourself. Who's got access to which parts of our development network? Especially for legacy or end-of-life projects, are there any legacy users who still have left-over access they don't need any more? How carefully is access to our code repository locked down? Do any users have passwords or access tokens that could easily be stolen or misused if their own computers were compromised? Has anyone uploaded files that shouldn't be there? Windows can mislead even experienced users by suppressing the extensions at the end of filenames, so you aren't always sure which file is which. Linux and Unix systems, including macOS, automatically hide from view any files and directories that start with a dot character.

This Cyber News was published on nakedsecurity.sophos.com. Publication date: Wed, 01 Feb 2023 18:58:02 +0000


Cyber News related to GitHub code-signing certificates stolen

Beware of Expired or Compromised Code Signing Certificates - One of the vital security measures taken in this direction is the use of code signing certificates to prove software authenticity, integrity and security. Code signing certificates, used for digitally signing applications and software, are an ...
10 months ago Securityboulevard.com
GitHub code-signing certificates stolen - Another day, another access-token-based database breach. This time, the victim is Microsoft's GitHub business. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised ...
1 year ago Nakedsecurity.sophos.com
GitHub says hackers cloned code-signing certificates in breached repository - GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom. Code-signing certificates place a cryptographic stamp on code to ...
1 year ago Packetstormsecurity.com
GitHub Security Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom - GitHub revealed on Monday that unknown hackers managed to steal encrypted code signing certificates related to some versions of GitHub Desktop for Mac and Atom apps. As a precaution, the company is revoking the exposed certificates. Versions 1.63.0 ...
1 year ago Thehackernews.com
GitHub Reports Code-Signing Certificate Theft in Security Breach - Although attackers exfiltrated a set of encrypted code-signing certificates, these were password-protected, so there is no possibility of malicious use. GitHub revealed that on December 7th, 2022, hackers had gained unauthorized access to several of ...
1 year ago Hackread.com
Signing Executables With Azure DevOps - This signing tool is compatible with all major executable files and works impeccably with all OV and EV code signing certificates. It's mostly used with Azure DevOps due to the benefit of Azure Key Vault. Here, you will undergo the complete procedure ...
9 months ago Feeds.dzone.com
Hackers Stole GitHub Desktop and Atom Code-Signing Certificates - Monday, GitHub announced that unidentified threat actors were able to exfiltrate encrypted code signing certificates for certain versions of the GitHub Desktop for Mac and Atom applications. The company is taking the precautionary action of canceling ...
1 year ago Heimdalsecurity.com
GitHub Revokes Compromised Code Signing Certificates After Repo Hack - GitHub has recently revealed that unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories. The company has found no ...
1 year ago Bleepingcomputer.com
The role of certificate lifecycle automation in enterprise environments - Learn about PKI automation and its role in managing the growing complexity of digital identities and certificates. Digital certificates form a strong foundation for our modern digital landscape and at the root of these certificates: PKI. Public key ...
5 months ago Securityboulevard.com
AnyDesk says hackers breached its production servers, reset passwords - AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack. AnyDesk ...
8 months ago Bleepingcomputer.com
Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
9 months ago Securityboulevard.com
Adding OpenSSL Generated Certificates to Your Server: A Comprehensive Guide - Utilizing SSL/TLS certificates to encrypt data transferred between your server and clients is one of the fundamental components of server security. The process of adding OpenSSL-generated certificates to your server will be covered in detail in this ...
8 months ago Feeds.dzone.com
AnyDesk says hackers breached its production servers, resets passwords - AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack. AnyDesk ...
8 months ago Bleepingcomputer.com
Strengthening Cybersecurity: The Role of Digital Certificates and PKI in Authentication - Data protection remains integral in our wide digital world. This has been possible because of the increasing awareness amidst enterprises, small and large, across industries on the paramount need for the protection of sensitive data, securing digital ...
8 months ago Feeds.dzone.com
GitHub, PyTorch and More Organizations Found Vulnerable to Self-Hosted Runner Attacks - Last July, we published an article exploring the dangers of vulnerable self-hosted runners and how they can lead to severe software supply chain attacks. GitHub itself was found vulnerable, as well as various notable organizations, such as PyTorch, ...
8 months ago Securityboulevard.com
3 Ways to Stop Unauthorized Code From Running in Your Network - According to Deloitte, more than 50% of organizations plan to incorporate AI and automation technologies in 2023. One thing that needs to be watched very closely is the development of code using AI tools. Many organizations are turning to ...
10 months ago Darkreading.com
3 Ways to Stop Unauthorized Code From Running in Your Network - According to Deloitte, more than 50% of organizations plan to incorporate AI and automation technologies in 2023. One thing that needs to be watched very closely is the development of code using AI tools. Many organizations are turning to ...
10 months ago Darkreading.com
CVE-2021-32638 - Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token ...
2 years ago
GitHub rotates keys to mitigate impact of credential-exposing flaw - GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables. This unsafe reflection vulnerability can allow attackers to gain remote ...
8 months ago Bleepingcomputer.com
361 million stolen accounts leaked on Telegram added to HIBP - A massive trove of 361 million email addresses from credentials stolen by password-stealing malware, in credential stuffing attacks, and from data breaches was added to the Have I Been Pwned data breach notification service, allowing anyone to check ...
3 months ago Bleepingcomputer.com
CVE-2023-30853 - Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration ...
1 year ago
Have I Been Pwned adds 71 million emails from Naz.API stolen account list - Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using ...
8 months ago Bleepingcomputer.com
APT Hackers Abusing GitHub - Hackers use GitHub to access and manipulate source code repositories. GitHub hosts open-source projects, and unauthorized access allows hackers to inject malicious code, steal sensitive information, and exploit vulnerabilities in software development ...
8 months ago Cybersecuritynews.com
GitHub warns users to enable 2FA before upcoming deadline - GitHub is warning users that they will soon have limited functionality on the site if they do not enable two-factor authentication on their accounts. In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code ...
9 months ago Bleepingcomputer.com
Tensorflow Supply Chain Compromise via Self-Hosted Runner Attack - Let's say TensorFlow wants to run a set of tests when a GitHub user submits a pull request. TensorFlow can define these tests in a yaml workflow file, used by GitHub Actions, and configure the workflow to run on the `pull request` trigger. One type ...
8 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)