Security-Control — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/security-control/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000GitHub Enterprise IP Allow List Disabledhttps://feed.craftedsignal.io/briefs/2024-01-github-ip-allow-list-disabled/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-github-ip-allow-list-disabled/An IP allow list was disabled in GitHub Enterprise, potentially allowing unauthorized access from untrusted networks and exposing sensitive code repositories.This threat brief addresses the disabling of IP allow lists within a GitHub Enterprise environment. GitHub Enterprise’s IP allow lists restrict access to resources from only trusted IP addresses, a critical security control to prevent unauthorized access. The disabling of this feature, as detected via GitHub Enterprise audit logs, could indicate malicious activity, such as an attacker attempting to circumvent existing access controls. The activity could stem from compromised administrator credentials or a malicious insider. Disabling the IP allow list exposes sensitive code repositories and GitHub Enterprise resources to access from any IP address, significantly increasing the attack surface.

Attack Chain

  1. An attacker compromises credentials with administrative privileges within GitHub Enterprise.
  2. The attacker authenticates to the GitHub Enterprise instance.
  3. The attacker navigates to the organization or enterprise settings where IP allow lists are configured.
  4. The attacker disables the IP allow list feature, removing restrictions on which IP addresses can access the GitHub Enterprise resources.
  5. The attacker originates connections from previously unauthorized IP addresses.
  6. The attacker accesses and potentially exfiltrates sensitive code repositories and data.
  7. The attacker attempts to modify code, create backdoors, or perform other malicious activities.

Impact

Disabling IP allow lists in GitHub Enterprise can lead to a significant security breach. Sensitive code repositories become exposed, potentially leading to intellectual property theft or the introduction of malicious code into the software supply chain. If successful, the organization’s data and systems may be compromised, resulting in financial losses, reputational damage, and legal ramifications. The scope of the impact depends on the sensitivity of the data stored in the GitHub Enterprise instance and the extent to which the attacker can leverage the unauthorized access.

Recommendation

  • Enable and review the provided Sigma rule to detect instances of IP allow list disabling in GitHub Enterprise to quickly identify and respond to unauthorized changes.
  • Investigate any alerts generated by the Sigma rule, focusing on the actor, actor_id, and user_agent fields to determine the source and legitimacy of the action.
  • Implement multi-factor authentication (MFA) for all GitHub Enterprise accounts, especially those with administrative privileges, to prevent credential compromise.
  • Review GitHub Enterprise audit logs regularly for suspicious activity, including changes to security settings and access from unusual locations, using the configured log streaming to Splunk.
  • Enforce the principle of least privilege, granting users only the necessary permissions to perform their job functions, to limit the potential impact of a compromised account.
]]>mediumadvisorygithubcloudip-allow-listbypasssecurity-controlanomaly