<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>GitHub Organizations - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/github-organizations/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/github-organizations/feed.xml" rel="self" type="application/rss+xml"/><item><title>GitHub Organizations Branch Ruleset Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-github-branch-ruleset-deletion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-github-branch-ruleset-deletion/</guid><description>Detection of branch ruleset deletion in GitHub Organizations, indicating potential attempts to bypass security controls and inject malicious code.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of deleted branch rulesets within GitHub Organizations. Threat actors may attempt to disable or delete these rulesets to bypass code review requirements and security controls. This activity can be an indicator of malicious intent, potentially leading to the injection of unauthorized code changes or backdoors into protected branches. The detection mechanism involves monitoring GitHub Organizations audit logs for specific events related to branch ruleset deletion. Identifying these events allows for timely intervention to prevent code tampering and maintain software supply chain integrity. This is crucial for organizations relying on GitHub for code management and collaboration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains access to a GitHub account with sufficient privileges to manage branch rulesets.</li>
<li><strong>Reconnaissance:</strong> The attacker identifies target repositories and their associated branch rulesets.</li>
<li><strong>Privilege Escalation (if necessary):</strong> The attacker elevates their privileges within the organization to gain the ability to modify or delete rulesets.</li>
<li><strong>Defense Evasion:</strong> The attacker deletes a branch ruleset, effectively disabling the security controls it provided (e.g., code review, preventing force pushes).</li>
<li><strong>Code Injection:</strong> The attacker pushes unauthorized code changes, potentially containing malicious code or backdoors, directly to a protected branch.</li>
<li><strong>Persistence (Optional):</strong> The attacker may implement persistence mechanisms within the injected code to maintain unauthorized access.</li>
<li><strong>Impact:</strong> The malicious code compromises the software supply chain, potentially affecting downstream users and systems.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of branch rulesets can have significant consequences, leading to code tampering, bypass of security reviews, and the introduction of vulnerabilities or malicious code. If successful, this can compromise the integrity of the software supply chain, impacting potentially thousands of users and systems relying on the affected code. The incident could result in data breaches, financial losses, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable GitHub Organizations audit logs and ingest them into your SIEM to allow for monitoring of branch ruleset deletion events.</li>
<li>Deploy the Sigma rule <code>GitHub Organizations Delete Branch Ruleset</code> to detect when branch rulesets are deleted in GitHub Organizations.</li>
<li>Investigate any alerts triggered by the Sigma rule, focusing on the <code>actor</code>, <code>repo</code>, and <code>ruleset_name</code> to determine the legitimacy of the action.</li>
<li>Implement multi-factor authentication (MFA) for all GitHub accounts to reduce the risk of unauthorized access (Reference: GitHub documentation).</li>
<li>Regularly review and audit GitHub Organizations permissions to ensure that users only have the necessary privileges (Reference: GitHub documentation).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>github</category><category>supply-chain</category><category>defense-evasion</category></item><item><title>GitHub Organizations 2FA Requirement Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-github-disable-2fa/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-github-disable-2fa/</guid><description>Detection of GitHub Organizations where the two-factor authentication (2FA) requirement has been disabled, potentially indicating an attempt to weaken security controls and increase the risk of account compromise.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of disabled two-factor authentication (2FA) requirements within GitHub Organizations. The activity is detected by monitoring GitHub Organizations audit logs for the <code>org.disable_two_factor_requirement</code> event. Identifying disabled 2FA is critical because it undermines a fundamental security control and can expose organizations to increased risk of account takeover. The absence of 2FA makes accounts more vulnerable to password-based attacks, potentially granting attackers access to sensitive code, intellectual property, and the ability to compromise the software supply chain. This event can be an early warning sign of a more extensive attack campaign.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to an account with sufficient privileges to modify organization settings (T1195).</li>
<li>The attacker authenticates to the GitHub platform, bypassing existing 2FA if the account is already enrolled.</li>
<li>The attacker navigates to the organization settings within GitHub.</li>
<li>The attacker disables the 2FA requirement for the GitHub organization. This action is logged as <code>org.disable_two_factor_requirement</code> in the audit logs.</li>
<li>With 2FA disabled, the attacker targets other organization member accounts with password-based attacks such as credential stuffing or brute-force attacks.</li>
<li>Successful account compromise allows the attacker to access private repositories and sensitive information.</li>
<li>The attacker may inject malicious code into repositories to compromise the software supply chain.</li>
<li>The attacker may exfiltrate sensitive data or intellectual property (T1562.001).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of disabled 2FA in GitHub Organizations can be significant, leading to account compromise, unauthorized access to sensitive code repositories, intellectual property theft, and potential compromise of the software supply chain. A successful attack could result in financial losses, reputational damage, and legal liabilities. The number of affected accounts and the severity of the impact depend on the attacker's objectives and the organization's security posture.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>GitHub Organizations Disable 2FA Requirement</code> to your SIEM to detect instances of 2FA being disabled (see <code>rules</code>).</li>
<li>Investigate any detected instances of disabled 2FA to determine the legitimacy of the action and identify any potential compromise.</li>
<li>Review GitHub organization audit logs for related suspicious activities, such as unusual login attempts or changes to other security settings.</li>
<li>Enforce 2FA for all members of GitHub Organizations and regularly audit 2FA enforcement policies.</li>
<li>Monitor the <code>github_organizations</code> data source for other vendor actions to identify suspicious activity within the GitHub environment.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>github</category><category>cloud</category><category>2fa</category><category>defense-evasion</category></item><item><title>GitHub Organization Repository Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-github-repo-delete/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-github-repo-delete/</guid><description>Anomalous deletion of a GitHub organization repository can indicate malicious activity aimed at destroying source code, intellectual property, or evidence of compromise, potentially stemming from account compromise, insider threats, or business disruption attempts.</description><content:encoded><![CDATA[<p>This threat brief focuses on the anomalous deletion of repositories within GitHub organizations, an activity that can have severe consequences. The core concern is that a malicious actor, whether an external attacker with compromised credentials or a malicious insider, may deliberately delete repositories to destroy source code, intellectual property, or even evidence of a prior compromise. The behavior is detected by monitoring GitHub Organizations audit logs for repository deletion events (vendor_action=repo.destroy). The deletion of repositories may lead to permanent data loss if backups are not maintained. This activity may be associated with attempts to disrupt business operations. Early detection of such events is crucial, allowing security teams to investigate potential compromises and initiate recovery procedures, minimizing potential damage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains unauthorized access to a GitHub organization account. This could be through compromised credentials (phishing, password reuse), or by exploiting a vulnerability in a service integrated with GitHub.</li>
<li><strong>Privilege Escalation (if needed):</strong> The attacker elevates their privileges within the GitHub organization to gain sufficient permissions to delete repositories.</li>
<li><strong>Reconnaissance:</strong> The attacker identifies valuable or critical repositories for deletion, potentially focusing on those containing sensitive data, core application code, or incident response documentation.</li>
<li><strong>Disable Security Controls (Optional):</strong> The attacker attempts to disable or circumvent security controls within GitHub or integrated security tools to avoid detection.</li>
<li><strong>Repository Deletion:</strong> The attacker executes the repository deletion command, either through the GitHub web interface or the GitHub API. This generates an audit log event (<code>vendor_action=repo.destroy</code>).</li>
<li><strong>Obfuscation/Cleanup:</strong> The attacker attempts to cover their tracks by deleting audit logs, modifying access logs, or removing any traces of their activity within the GitHub environment.</li>
<li><strong>Impact:</strong> The targeted repository is permanently deleted, resulting in the loss of source code, documentation, and project history. This can disrupt development workflows, lead to financial losses, and compromise intellectual property.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of a successful repository deletion attack can be significant. Organizations can experience a loss of intellectual property, disruption to development workflows, and potential financial losses resulting from the lost work and the cost of recovery. In severe cases, the deletion of critical repositories could halt operations and damage the organization's reputation. The number of affected repositories and the severity of the impact depend on the attacker's objectives and the organization's backup and recovery capabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rules to your SIEM and tune them to your specific GitHub organization to detect anomalous repository deletion activity based on <code>vendor_action=repo.destroy</code>.</li>
<li>Implement multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges, to mitigate the risk of compromised credentials referenced in the attack chain.</li>
<li>Regularly review and audit GitHub organization access controls and permissions to identify and remediate any excessive or unnecessary privileges, preventing privilege escalation.</li>
<li>Implement a robust backup and recovery strategy for GitHub repositories, including regular backups and tested restoration procedures, ensuring quick recovery in case of a repository deletion attack.</li>
<li>Monitor GitHub Organizations audit logs for suspicious activity, including unusual login patterns, unauthorized permission changes, and unexpected API calls.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>github</category><category>repository</category><category>deletion</category><category>impact</category></item></channel></rss>