{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/github-organizations/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub Organizations"],"_cs_severities":["high"],"_cs_tags":["github","supply-chain","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis brief focuses on the detection of deleted branch rulesets within GitHub Organizations. Threat actors may attempt to disable or delete these rulesets to bypass code review requirements and security controls. This activity can be an indicator of malicious intent, potentially leading to the injection of unauthorized code changes or backdoors into protected branches. The detection mechanism involves monitoring GitHub Organizations audit logs for specific events related to branch ruleset deletion. Identifying these events allows for timely intervention to prevent code tampering and maintain software supply chain integrity. This is crucial for organizations relying on GitHub for code management and collaboration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains access to a GitHub account with sufficient privileges to manage branch rulesets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies target repositories and their associated branch rulesets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if necessary):\u003c/strong\u003e The attacker elevates their privileges within the organization to gain the ability to modify or delete rulesets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker deletes a branch ruleset, effectively disabling the security controls it provided (e.g., code review, preventing force pushes).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e The attacker pushes unauthorized code changes, potentially containing malicious code or backdoors, directly to a protected branch.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker may implement persistence mechanisms within the injected code to maintain unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The malicious code compromises the software supply chain, potentially affecting downstream users and systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of branch rulesets can have significant consequences, leading to code tampering, bypass of security reviews, and the introduction of vulnerabilities or malicious code. If successful, this can compromise the integrity of the software supply chain, impacting potentially thousands of users and systems relying on the affected code. The incident could result in data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub Organizations audit logs and ingest them into your SIEM to allow for monitoring of branch ruleset deletion events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Organizations Delete Branch Ruleset\u003c/code\u003e to detect when branch rulesets are deleted in GitHub Organizations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003erepo\u003c/code\u003e, and \u003ccode\u003eruleset_name\u003c/code\u003e to determine the legitimacy of the action.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub accounts to reduce the risk of unauthorized access (Reference: GitHub documentation).\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub Organizations permissions to ensure that users only have the necessary privileges (Reference: GitHub documentation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-github-branch-ruleset-deletion/","summary":"Detection of branch ruleset deletion in GitHub Organizations, indicating potential attempts to bypass security controls and inject malicious code.","title":"GitHub Organizations Branch Ruleset Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-github-branch-ruleset-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub Organizations"],"_cs_severities":["high"],"_cs_tags":["github","cloud","2fa","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis brief focuses on the detection of disabled two-factor authentication (2FA) requirements within GitHub Organizations. The activity is detected by monitoring GitHub Organizations audit logs for the \u003ccode\u003eorg.disable_two_factor_requirement\u003c/code\u003e event. Identifying disabled 2FA is critical because it undermines a fundamental security control and can expose organizations to increased risk of account takeover. The absence of 2FA makes accounts more vulnerable to password-based attacks, potentially granting attackers access to sensitive code, intellectual property, and the ability to compromise the software supply chain. This event can be an early warning sign of a more extensive attack campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges to modify organization settings (T1195).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub platform, bypassing existing 2FA if the account is already enrolled.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization settings within GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the 2FA requirement for the GitHub organization. This action is logged as \u003ccode\u003eorg.disable_two_factor_requirement\u003c/code\u003e in the audit logs.\u003c/li\u003e\n\u003cli\u003eWith 2FA disabled, the attacker targets other organization member accounts with password-based attacks such as credential stuffing or brute-force attacks.\u003c/li\u003e\n\u003cli\u003eSuccessful account compromise allows the attacker to access private repositories and sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may inject malicious code into repositories to compromise the software supply chain.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive data or intellectual property (T1562.001).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of disabled 2FA in GitHub Organizations can be significant, leading to account compromise, unauthorized access to sensitive code repositories, intellectual property theft, and potential compromise of the software supply chain. A successful attack could result in financial losses, reputational damage, and legal liabilities. The number of affected accounts and the severity of the impact depend on the attacker's objectives and the organization's security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Organizations Disable 2FA Requirement\u003c/code\u003e to your SIEM to detect instances of 2FA being disabled (see \u003ccode\u003erules\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of disabled 2FA to determine the legitimacy of the action and identify any potential compromise.\u003c/li\u003e\n\u003cli\u003eReview GitHub organization audit logs for related suspicious activities, such as unusual login attempts or changes to other security settings.\u003c/li\u003e\n\u003cli\u003eEnforce 2FA for all members of GitHub Organizations and regularly audit 2FA enforcement policies.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003egithub_organizations\u003c/code\u003e data source for other vendor actions to identify suspicious activity within the GitHub environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-github-disable-2fa/","summary":"Detection of GitHub Organizations where the two-factor authentication (2FA) requirement has been disabled, potentially indicating an attempt to weaken security controls and increase the risk of account compromise.","title":"GitHub Organizations 2FA Requirement Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-github-disable-2fa/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub Organizations"],"_cs_severities":["high"],"_cs_tags":["github","repository","deletion","impact"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on the anomalous deletion of repositories within GitHub organizations, an activity that can have severe consequences. The core concern is that a malicious actor, whether an external attacker with compromised credentials or a malicious insider, may deliberately delete repositories to destroy source code, intellectual property, or even evidence of a prior compromise. The behavior is detected by monitoring GitHub Organizations audit logs for repository deletion events (vendor_action=repo.destroy). The deletion of repositories may lead to permanent data loss if backups are not maintained. This activity may be associated with attempts to disrupt business operations. Early detection of such events is crucial, allowing security teams to investigate potential compromises and initiate recovery procedures, minimizing potential damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains unauthorized access to a GitHub organization account. This could be through compromised credentials (phishing, password reuse), or by exploiting a vulnerability in a service integrated with GitHub.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker elevates their privileges within the GitHub organization to gain sufficient permissions to delete repositories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies valuable or critical repositories for deletion, potentially focusing on those containing sensitive data, core application code, or incident response documentation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Security Controls (Optional):\u003c/strong\u003e The attacker attempts to disable or circumvent security controls within GitHub or integrated security tools to avoid detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRepository Deletion:\u003c/strong\u003e The attacker executes the repository deletion command, either through the GitHub web interface or the GitHub API. This generates an audit log event (\u003ccode\u003evendor_action=repo.destroy\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation/Cleanup:\u003c/strong\u003e The attacker attempts to cover their tracks by deleting audit logs, modifying access logs, or removing any traces of their activity within the GitHub environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The targeted repository is permanently deleted, resulting in the loss of source code, documentation, and project history. This can disrupt development workflows, lead to financial losses, and compromise intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of a successful repository deletion attack can be significant. Organizations can experience a loss of intellectual property, disruption to development workflows, and potential financial losses resulting from the lost work and the cost of recovery. In severe cases, the deletion of critical repositories could halt operations and damage the organization's reputation. The number of affected repositories and the severity of the impact depend on the attacker's objectives and the organization's backup and recovery capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune them to your specific GitHub organization to detect anomalous repository deletion activity based on \u003ccode\u003evendor_action=repo.destroy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges, to mitigate the risk of compromised credentials referenced in the attack chain.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub organization access controls and permissions to identify and remediate any excessive or unnecessary privileges, preventing privilege escalation.\u003c/li\u003e\n\u003cli\u003eImplement a robust backup and recovery strategy for GitHub repositories, including regular backups and tested restoration procedures, ensuring quick recovery in case of a repository deletion attack.\u003c/li\u003e\n\u003cli\u003eMonitor GitHub Organizations audit logs for suspicious activity, including unusual login patterns, unauthorized permission changes, and unexpected API calls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-github-repo-delete/","summary":"Anomalous deletion of a GitHub organization repository can indicate malicious activity aimed at destroying source code, intellectual property, or evidence of compromise, potentially stemming from account compromise, insider threats, or business disruption attempts.","title":"GitHub Organization Repository Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-github-repo-delete/"}],"language":"en","title":"CraftedSignal Threat Feed - GitHub Organizations","version":"https://jsonfeed.org/version/1.1"}