GitHub Organizations 2FA Disabled

This detection identifies instances where two-factor authentication (2FA) requirements are disabled within GitHub Organizations. By monitoring GitHub Organizations audit logs, this analytic tracks changes to 2FA requirements, capturing details about the actor, organization, and associated metadata. Disabling 2FA weakens security controls, increasing the risk of account compromise via password-based attacks. The absence of 2FA can lead to unauthorized access to sensitive code repositories, intellectual property, and potential compromise of the software supply chain. The activity observed in this analytic aligns with actions outlined in the MITRE ATT&CK framework such as impair defenses (T1562.001) and supply chain compromise (T1195).

Attack Chain

1. An attacker gains initial access to a privileged GitHub account, possibly through credential compromise or social engineering.
2. The attacker authenticates to the GitHub organization with the compromised account.
3. The attacker navigates to the organization’s security settings within GitHub.
4. The attacker disables the requirement for two-factor authentication (2FA) for the organization.
5. GitHub audit logs record the “org.disable_two_factor_requirement” event, capturing details of the actor and organization.
6. With 2FA disabled, the attacker can now access other accounts within the organization more easily without needing to bypass multi-factor authentication.
7. The attacker then uses the compromised accounts to access sensitive code repositories or other resources within the organization.
8. The attacker exfiltrates sensitive data or injects malicious code into the software supply chain.

Impact

Disabling 2FA in GitHub organizations increases the risk of account takeover and unauthorized access to sensitive code and intellectual property. A successful attack could lead to the compromise of the software supply chain, impacting not only the organization itself but also its customers and users. This can result in reputational damage, financial losses, and legal liabilities. The Google Cloud Community reported on using Google Security to monitor for suspicious GitHub activity.

Recommendation

• Enable and maintain the Splunk Add-on for GitHub to ingest GitHub Organizations audit logs as detailed in the references.
• Deploy the Sigma rule GitHub Organizations Disable 2FA Requirement to detect instances of 2FA being disabled.
• Investigate any alerts generated by the Sigma rule, focusing on the actor, actor_id, and actor_ip fields to identify potentially compromised accounts.
• Monitor user agent strings (user_agent field) for suspicious or anomalous activity related to the disabling of 2FA.
• Review and enforce strong password policies and educate users about the importance of 2FA to prevent initial account compromise.