GitHub Security Feature Disablement

This brief addresses the threat of unauthorized or malicious disabling of security features within GitHub organizations and repositories. Attackers or malicious insiders might disable features like Advanced Security, OAuth application restrictions, or two-factor authentication to weaken the security posture, gain unauthorized access, and establish persistence. The affected features span across advanced security, OAuth application management, and two-factor authentication enforcement. These actions can be performed by users with administrative or owner privileges within the GitHub organization. Defenders need to monitor for these configuration changes to ensure security best practices are maintained and to quickly identify potential malicious activity.

Attack Chain

1. An attacker gains unauthorized access to a GitHub account with organization owner or administrator privileges through compromised credentials or insider access.
2. The attacker authenticates to the GitHub organization or repository using the compromised account.
3. The attacker navigates to the organization settings or repository settings, depending on the scope of the targeted security feature.
4. The attacker disables advanced security features (e.g., business_advanced_security.disabled_for_new_repos, repo.advanced_security_disabled) through the GitHub web interface or API.
5. Alternatively, the attacker disables OAuth application restrictions (org.disable_oauth_app_restrictions) to allow potentially malicious applications to access organizational data.
6. Or, the attacker disables the two-factor authentication requirement (org.disable_two_factor_requirement) for the organization, weakening account security.
7. The attacker may then proceed to exploit the weakened security posture to access sensitive repositories, modify code, or exfiltrate data.
8. The attacker establishes persistent access by creating rogue OAuth applications or adding unauthorized users to the organization.

Impact

Disabling security features in GitHub can lead to severe consequences. A successful attack can result in unauthorized access to sensitive code repositories, intellectual property theft, and data breaches. Disabling two-factor authentication makes accounts more vulnerable to credential stuffing and phishing attacks. The scope can range from a single repository to an entire organization, impacting hundreds or thousands of users and projects. The financial and reputational damage to the organization can be significant.

Recommendation

• Deploy the Sigma rule Github High Risk Configuration Disabled to detect the disabling of critical security features by monitoring GitHub audit logs.
• Enable audit log streaming as documented in the rule definition to ensure that the necessary logs are captured for detection.
• Investigate any detected instances of security feature disabling to determine if they are legitimate administrator actions or malicious activity.
• Enforce multi-factor authentication (MFA) for all users, especially those with administrative privileges, and monitor for attempts to disable MFA.
• Regularly review and validate GitHub organization and repository settings to ensure that security features are enabled and configured correctly.