Summary:
CronUp security researcher German Fernandez has shed light on a phishing and extortion campaign to target GitHub users. The campaign which has been ongoing for several months takes advantage of GitHub’s notification system and a malicious OAuth app to gain access to victims’ repositories and extort the contents for ransom. According to Fernandez, actors are mentioning GitHub usernames in comments, which triggers an email to be sent to the account owner. The comments left by the actors are designed to appear like an email from GitHub staff, offering the targeted user a job or alerting them of a supposed security breach. Embedded in the comments is a link to websites closely resembling GitHub domains (e.g. githubcareers[.]online and githubtalentcommunity[.]online) which if clicked on, prompts the user to give an external app access and control over their account and repositories via OAuth. In this case, actors have been observed using the access to wipe the contents of the user’s repositories and replace them with a README file that directs the victim to contact a user called “gitloker” on Telegram to recover their data.

Security Officer Comments:
Compromised accounts are being used to post further comments, in turn, triggering more notifications emails to be sent to victims. Given that these notifications are sent from a legitimate GitHub email address, notifications@github[.]com, users are more likely to fall for the lure.

Based on attacks observed so far, extortion is the main objective of these campaigns where contents stored in repositories are cleaned entirely and a ransom note is left behind for negotiations. However, this tactic of compromising GitHub user accounts could leveraged in supply chain attacks, where actors can their access to upload malicious code into repositories and infect end users with malware.

Suggested Corrections:
GitHub users should be cautious of email notifications coming from notifications@github[.]com and avoid clicking on links in suspicious messages. Furthermore, it’s advised to periodically review OAuth applications linked to GitHub accounts and revoke access to any that are unused or appear suspicious. In the event of a compromise, users should change their access tokens and password, and reset their two-factor authentication recovery codes.

Link(s):
https://www.scmagazine.com/news/github-phishing-campaign-wipes-repos-extorts-victims