{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ip-allow-list/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["github","cloud","ip-allow-list","bypass","security-control","anomaly"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the disabling of IP allow lists within a GitHub Enterprise environment. GitHub Enterprise\u0026rsquo;s IP allow lists restrict access to resources from only trusted IP addresses, a critical security control to prevent unauthorized access. The disabling of this feature, as detected via GitHub Enterprise audit logs, could indicate malicious activity, such as an attacker attempting to circumvent existing access controls. The activity could stem from compromised administrator credentials or a malicious insider. Disabling the IP allow list exposes sensitive code repositories and GitHub Enterprise resources to access from any IP address, significantly increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises credentials with administrative privileges within GitHub Enterprise.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub Enterprise instance.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization or enterprise settings where IP allow lists are configured.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the IP allow list feature, removing restrictions on which IP addresses can access the GitHub Enterprise resources.\u003c/li\u003e\n\u003cli\u003eThe attacker originates connections from previously unauthorized IP addresses.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses and potentially exfiltrates sensitive code repositories and data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify code, create backdoors, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling IP allow lists in GitHub Enterprise can lead to a significant security breach. Sensitive code repositories become exposed, potentially leading to intellectual property theft or the introduction of malicious code into the software supply chain. If successful, the organization\u0026rsquo;s data and systems may be compromised, resulting in financial losses, reputational damage, and legal ramifications. The scope of the impact depends on the sensitivity of the data stored in the GitHub Enterprise instance and the extent to which the attacker can leverage the unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review the provided Sigma rule to detect instances of IP allow list disabling in GitHub Enterprise to quickly identify and respond to unauthorized changes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003eactor_id\u003c/code\u003e, and \u003ccode\u003euser_agent\u003c/code\u003e fields to determine the source and legitimacy of the action.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub Enterprise accounts, especially those with administrative privileges, to prevent credential compromise.\u003c/li\u003e\n\u003cli\u003eReview GitHub Enterprise audit logs regularly for suspicious activity, including changes to security settings and access from unusual locations, using the configured log streaming to Splunk.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege, granting users only the necessary permissions to perform their job functions, to limit the potential impact of a compromised account.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-github-ip-allow-list-disabled/","summary":"An IP allow list was disabled in GitHub Enterprise, potentially allowing unauthorized access from untrusted networks and exposing sensitive code repositories.","title":"GitHub Enterprise IP Allow List Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-github-ip-allow-list-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Ip-Allow-List","version":"https://jsonfeed.org/version/1.1"}