Last week, GitHub Security announced an investigation into abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI.
According to a GitHub advisory, the attackers gained access using a stolen AWS API key allegedly obtained when they downloaded private npm repositories by abusing a compromised OAuth token from third-party OAuth integrators Heroku or Travis-CI.
The campaign was detected on April 12 when the threat actor had already accessed and stolen data from multiple organizations. Both Heroku and Travis-CI were notified of the compromise shortly after, and were asked to revoke potentially compromised OAuth user tokens.
GitHub confirmed it’s working to reveal the full scope of the incident and alert all of the known-affected victim users and organizations.
Why Does It Matter?
The usage and demand for SaaS have recently exploded. With this exponential increase of SaaS applications used daily by organizations in the last few years, putting in place a comprehensive security program around the SaaS environment becomes more critical than ever before.
Even though this security incident is still under investigation, what’s clear is that the frequency of SaaS-related incidents are increasing. The GitHub announcement is following an Okta breach revealed just a few weeks ago.
Recommendations
While the full scope of this security breach is still in review, there are a few things that can be done today to limit potential exposure to this and similar incidents:
- Initiate a detailed review of Heroku and Travis-CI extensions provisioned to GitHub, and temporarily block them until the investigation is complete.
- Ensure there’s a proper SaaS security solution deployed in your organization that discovers the entire SaaS application landscape of the organization, including extensions (API tokens) provisioned by users to additional applications.
Axonius SaaS Management enables security teams to navigate complexity and risk across the entire SaaS applications environment. By adopting a comprehensive approach to SaaS security, it discovers both known and unknown SaaS applications, providing complete and actionable visibility into all data types and interconnectivity flows, including 0auth tokens and extensions to third- and fourth-party applications. The solution enables the discovery and mitigation of various security risks, including misconfiguration issues, suspicious or malicious behavior, and user access management.
