Now that organizations are securing their infrastructure by following Zero trust best practices, attackers are moving left in the pipeline and attacking GitHub. Earlier this month, Okta said that its private GitHub repositories were hacked. When the leaders in authentication and Identity Access Management (IAM) are hacked, it’s time to start taking things much more seriously. Presumably, this organization has a far more sophisticated GitHub security infrastructure in place than your current operation. At this point in time, everyone is susceptible.
According to a ‘confidential’ email notification sent by Okta and seen by BleepingComputer, the security incident involves threat actors stealing Okta’s source code. Thankfully, attackers did not gain unauthorized access to the Okta service or customer data, says the company. However, the recent LastPass attack showed us how a GitHub breach like this can lead to another breach down the line where customer data is accessed. DarkReading.com summarizes the potential consequences quite well.
“Attackers can harvest hard-coded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.
Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached multiple companies using this technique and sold their data across various Dark Web marketplaces.”
In recent years, hackers have realized that hacking GitHub repositories is a great way to scan source code for vulnerabilities or even push their own back doors without teams noticing. While access to the web portal might be protected by SSO and conditional access policies, most high privilege actions are done through SSH which is usually protected by a simple password or an SSH key that does not expire and is sitting unprotected on your developer’s workstation.
EZGIT is the first SSH Certificate Authority (CA) for GitHub repositories. EZGIT leverages your secure corporate Identity (Azure AD or Okta) to authenticate the user into the service and issues a short-term certificate to give the user Just in Time (JIT) access to your repositories. No more keys in engineers’ desktops waiting to be stolen by bad actors!