Datadog Security Labs has reported multiple campaigns targeting corporate GitHub organizations using outdated or ghost accounts. Attackers utilize this method to bypass scrutiny while gathering sensitive organizational data and have successfully cloned private repositories in certain instances.
Datadog Security Labs has identified several overlapping campaigns that are enumerating corporate GitHub organizations using the GitHub API. Attackers utilize a combination of dormant accounts, legitimate user accounts, and custom automated tools to scrape public and, in some cases, private data from GitHub.
The attackers exploit over 50 dormant accounts created two to five years ago, leveraging them to avoid detection. This use of old 'ghost' accounts allows them to issue API traffic that blends in with normal usage, making it difficult for GitHub to flag suspicious activity.
The scraping techniques used in these campaigns include listing organization's public repositories, enumerating user connections, and running GraphQL queries against public objects. This data can be utilized by threat actors to map out organizational structures, repository modifications, and member activities.
While many of the API requests seem ordinary and legitimate, the overall pattern of behavior from a group of accounts targeting multiple organizations raises significant red flags. The potential for data breaches increases as attackers have successfully cloned private repositories in certain scenarios.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Datadog Security Labs has reported multiple campaigns targeting corporate GitHub organizations using outdated or ghost accounts. Attackers utilize this method to bypass scrutiny while gathering sensitive organizational data and have successfully cloned private repositories in certain instances.