Login
Get started
Get started Login
Products
Solutions
KNOWLEDGE
HELP CENTER
COMPANY

Open web

DARK WEB

DATASETS

TECHNOLOGIES

Learn

Your hub for web data

BLOG

Large Language Models: What Your Data Must Include

Large Language Models like ChatGPT, and BERT need huge and quality datasets. Here's what their datasets should include.

Back to all Dark Web Pulses
Data Breach Threats

What Should GitHub Supply Chain Attack Teach Us?

April 27, 2022    
What Should GitHub Supply Chain Attack Teach Us?
Liran Sorani
Liran Sorani

Cyber Business Unit Manager

In the latest supply chain attack, the online software development platform GitHub fell victim to a cyberattack after its source code was compromised.

The source-code repository is sometimes considered the soft underbelly of a company. Developers might leave assets such as IPs, domains, tokens, credentials, and other private assets as part of the package they write. This type of coding style can help attackers to gain access to sensitive private services unnoticed, making it harder for companies to detect the breach for long periods of time.

In this latest attack, the threat actor used stolen OAuth user tokens issued to Heroku and Travis-CI to download data from the private repositories of dozens of organizations, including GitHub’s own npm production infrastructure.

How was the attack launched?

Step #1

The attacker accessed and breached, most likely a few months ago, the cloud services of Heroku and Travis.ci which serve thousands of private companies.

Step #2

The attacker stole OAuth user tokens, enabling access to GitHub.

Step #3

The attacker used the tokens to access GitHub and download the source codes of dozens of private companies.

Step #4

The attacker then used the stolen source codes to compromise other companies.

The different stages of the attack

What will the attackers do next?

Once they steal other private assets, the attacks are likely to take one of the next two steps:

  1. Sell the compromised assets of these private organizations in dark web marketplaces
  2. The attackers use the compromised data to breach other organizations and steal more sensitive information and assets.

What are the other implications of the GitHub supply chain attack?

There are various implications to this type of supply chain attack. For example:

  • The news spreads and other criminals become aware of the breach which can increase the demand for the breached assets.
  • Copycat hackers will try to attack the same cloud service or other cloud services to gain access to GitHub’s OAuth tokens, knowing it’s very likely to lead them to highly valuable private information.

Mentions of Travis.ci and Heroku on the dark web

Using our dark web data, we ran our query to search for mentions of Travis.ci and Heroku on dark web marketplaces, forums, and discussions.

In the next chart, you can see the number of mentions of Travis.ci and Heroku on the dark web over the past 4 months. We can see a spike in activity around March 7, 2022, a month before GitHub made a public announcement about the attack. This could indicate that threat actors were looking to breach the systems of Travis.ci and Heroku.

A little more than a month later, around the time the news of the attack was made public, we can see another increase in the number of mentions of Travis.ci and Heroku. This could suggest that other threat actors searched for the leaked data from the GitHub attack.

The number of mentions of Travis.ci and Heroku on the dark web over the past 4 months.

We also searched for keywords that are relevant to this attack. In this case we ran a query to search for mentions of “token grabber” or “token leecher”, on the dark web. The results showed a higher number of discussions on topics like methods to compromise user tokens, including tools and techniques, about two months before and a day after the news about the GitHub attack made it to the headlines.

The results to a query we ran to search for mentions of “token grabber” or “token leecher” on the dark web.

We also took a closer look at mentions of Heroku leaked accounts, which increased in early 2022. Many of them were traded in Russian Market and 2easy stores.

In the following image, you can see an example of one of these mentions, which we crawled from a Telegram hacking group in February. In this post, threat actors are discussing Heroku breached accounts:

A post rom a Telegram hacking group, where threat actors are discussing Heroku breached accounts in Malaysian.

The discussion on this group, called xplor_official, is in Malaysian. Two threat actors are discussing Heroku tokens, one of them asks if the other has a token, the second user responds by saying he has a token. This discussion is an indication of a potential risk for Heroku’s domain. We identified similar mentions of Heroku across other Telegram channels.

In order to break the chain and protect against third-party attacks, companies need to continuously collect intelligence from the deep and dark web. It is in these online spaces that threat actors and cybercriminals discuss their plans and trade compromised entities and PIIs which can bring the entire chain down.

Using Webz.io’s live and historical data from the deep and dark web, enterprises and organizations around the world are monitoring compromised assets, entities, brands, IPs, and CVEs to stay ahead of the next cyberattack.

Spread the News
Previous Post
Next Post

Not subscribed to our Dark Web Pulse updates?

By submitting you agree to Webz.io's Privacy Policy and further marketing communications.

Read More

Could Panasonic’s Breach Have Been Prevented?
January 24, 2022    

Could Panasonic’s Breach Have Been Prevented?

On November 26, 2021, Panasonic joined a long list of companies that suffered a data breach over the past year. See the posts we found in the dark web that could indicate that an attack was in the making.
Top 5 Ransomware Group Trends in 2021
January 24, 2022    

Top 5 Ransomware Group Trends in 2021

Ransomware gangs ramped up their cyber attacks in 2021. Here are 5 trends related to these groups that you need to know.
The Rise in Use of Alternative Social Media Platforms for Illicit Activities
January 24, 2022    

The Rise in Use of Alternative Social Media Platforms for Illicit Activities

The year of 2021 has seen the rise of alternative social media platforms. Discover the top illicit discussion topics we monitored on these sites.

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED

Don't be the last one to know!

Chances are your compromised data is already traded on the dark web.
Ready to discover them and protect your business?

Let's go
Has Your Data Been Breached?

Find breaches, stolen credentials and malware risks on the deep and dark web.

Start Free Scan
Subscribe to our newsletter for more news and updates!

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
get started
Create your API account and get instant access to millions of web sources
SEE DEMO