{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/security-configuration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub"],"_cs_severities":["high"],"_cs_tags":["github","security-configuration","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis brief addresses the threat of unauthorized or malicious disabling of security features within GitHub organizations and repositories. Attackers or malicious insiders might disable features like Advanced Security, OAuth application restrictions, or two-factor authentication to weaken the security posture, gain unauthorized access, and establish persistence. The affected features span across advanced security, OAuth application management, and two-factor authentication enforcement. These actions can be performed by users with administrative or owner privileges within the GitHub organization. Defenders need to monitor for these configuration changes to ensure security best practices are maintained and to quickly identify potential malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with organization owner or administrator privileges through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub organization or repository using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization settings or repository settings, depending on the scope of the targeted security feature.\u003c/li\u003e\n\u003cli\u003eThe attacker disables advanced security features (e.g., \u003ccode\u003ebusiness_advanced_security.disabled_for_new_repos\u003c/code\u003e, \u003ccode\u003erepo.advanced_security_disabled\u003c/code\u003e) through the GitHub web interface or API.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker disables OAuth application restrictions (\u003ccode\u003eorg.disable_oauth_app_restrictions\u003c/code\u003e) to allow potentially malicious applications to access organizational data.\u003c/li\u003e\n\u003cli\u003eOr, the attacker disables the two-factor authentication requirement (\u003ccode\u003eorg.disable_two_factor_requirement\u003c/code\u003e) for the organization, weakening account security.\u003c/li\u003e\n\u003cli\u003eThe attacker may then proceed to exploit the weakened security posture to access sensitive repositories, modify code, or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating rogue OAuth applications or adding unauthorized users to the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling security features in GitHub can lead to severe consequences. A successful attack can result in unauthorized access to sensitive code repositories, intellectual property theft, and data breaches. Disabling two-factor authentication makes accounts more vulnerable to credential stuffing and phishing attacks. The scope can range from a single repository to an entire organization, impacting hundreds or thousands of users and projects. The financial and reputational damage to the organization can be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGithub High Risk Configuration Disabled\u003c/code\u003e to detect the disabling of critical security features by monitoring GitHub audit logs.\u003c/li\u003e\n\u003cli\u003eEnable audit log streaming as documented in the rule definition to ensure that the necessary logs are captured for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of security feature disabling to determine if they are legitimate administrator actions or malicious activity.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users, especially those with administrative privileges, and monitor for attempts to disable MFA.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate GitHub organization and repository settings to ensure that security features are enabled and configured correctly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-31T18:22:00Z","date_published":"2024-10-31T18:22:00Z","id":"/briefs/2024-11-github-security-disabled/","summary":"An administrator or privileged user disables critical security features within a GitHub organization or repository, potentially leading to increased risk of unauthorized access, data breaches, and persistent compromise.","title":"GitHub Security Feature Disablement","url":"https://feed.craftedsignal.io/briefs/2024-11-github-security-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Security-Configuration","version":"https://jsonfeed.org/version/1.1"}