AI Security AI安全 2h ago Updated 2h ago 更新于 2小时前 42

Ghost Accounts Abuse GitHub API in Mass Recon Campaign 幽灵账户滥用GitHub API进行大规模侦察活动

Threat actors are leveraging dormant "ghost" GitHub accounts and leaked credentials to systematically enumerate public and private organizational assets via the GitHub API. Attackers utilize automated scanners and misleading user agents to blend malicious traffic with normal API requests, often escalating from reconnaissance to actual data exfiltration. Datadog highlights that unauthenticated access to public endpoints allows adversaries to map entire organizations, while compromised tokens enab Datadog报告威胁行为者利用GitHub API系统性枚举组织、仓库和用户账户,活动已持续数月。 攻击者使用注册2-5年的休眠“幽灵账户”及自动化工具,伪装成正常流量进行侦察。 部分攻击涉及泄露的合法用户令牌,针对私有仓库提交路径,极少数情况导致数据外泄。 防御者应启用审计日志流,基线化User Agent行为,并主动狩猎异常活动以检测此类侦察。

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • Threat actors are leveraging dormant "ghost" GitHub accounts and leaked credentials to systematically enumerate public and private organizational assets via the GitHub API.
  • Attackers utilize automated scanners and misleading user agents to blend malicious traffic with normal API requests, often escalating from reconnaissance to actual data exfiltration.
  • Datadog highlights that unauthenticated access to public endpoints allows adversaries to map entire organizations, while compromised tokens enable access to private repository commits.
  • Detection strategies must focus on baselining user agent behavior, monitoring for anomalous access patterns to private repositories, and enabling comprehensive GitHub audit log streaming.

Why It Matters

This incident underscores the critical vulnerability of relying on API traffic patterns for security, as attackers effectively camouflage reconnaissance activities within legitimate noise. For AI practitioners and security teams, it highlights the necessity of strict identity governance and behavioral analytics, particularly when integrating third-party services or managing open-source dependencies where credential leakage is a common risk vector.

Technical Details

  • Attack Vector: Utilization of over 50 dormant GitHub accounts ("ghost accounts") registered years prior, combined with leaked tokens from legitimate users, to bypass standard authentication anomalies.
  • API Abuse: Exploitation of both REST and GraphQL endpoints; specifically targeting public organization listings, user followers, and private repository commit paths using tokens obtained through inadvertent exposure.
  • Evasion Techniques: Malicious requests mimic legitimate tooling by using user agents associated with data exfiltration, analytics, or dashboards, generating HTTP 200 responses to avoid triggering immediate authentication failure alerts.
  • Detection Recommendations: Implementation of GitHub audit log streaming, proactive threat hunting based on user agent baselining, and specific detection rules for unauthorized access to private repositories.

Industry Insight

Organizations must treat API keys and tokens with the same rigor as passwords, implementing automated rotation and scanning for accidental commits containing credentials. Security operations centers should move beyond static rule-based detection for API traffic, adopting behavioral analysis to identify subtle shifts in user agent strings or access patterns that indicate automated enumeration tools. Finally, developers should enforce least-privilege access models for bots and CI/CD pipelines to limit the blast radius of any potential token compromise.

TL;DR

  • Datadog报告威胁行为者利用GitHub API系统性枚举组织、仓库和用户账户,活动已持续数月。
  • 攻击者使用注册2-5年的休眠“幽灵账户”及自动化工具,伪装成正常流量进行侦察。
  • 部分攻击涉及泄露的合法用户令牌,针对私有仓库提交路径,极少数情况导致数据外泄。
  • 防御者应启用审计日志流,基线化User Agent行为,并主动狩猎异常活动以检测此类侦察。

为什么值得看

本文揭示了针对GitHub生态系统的隐蔽侦察新手法,强调了即使公开API也可能被滥用为大规模情报收集工具。对于安全从业者和开发者而言,理解这种从公开数据枚举到潜在私有数据泄露的攻击路径,有助于完善API监控策略和身份验证基线。

技术解析

  • 攻击载体与伪装:攻击者利用50多个注册多年且休眠的“幽灵账户”,使用模拟数据分析或仪表板工具的User Agent字符串,通过GraphQL和REST API发送请求,使恶意流量混入正常网络流量中。
  • 枚举范围:无需认证即可访问大量公共API表面,包括列出组织公共仓库、遍历用户关注列表、枚举Gist、星标仓库及组织成员资格,从而构建目标组织的完整映射。
  • 凭证滥用与升级:除了公开数据枚举,部分活动利用了意外暴露的合法用户令牌,直接针对私有仓库的提交路径进行扫描,并在罕见情况下成功执行了数据外泄。
  • 检测与防御建议:Datadog建议启用GitHub审计日志流,建立User Agent和事件活动的正常基线,重点关注访问私有仓库时的异常命名和版本行为,并进行主动威胁狩猎。

行业启示

  • API安全边界模糊化:即使是无认证的公共API接口,若缺乏速率限制和行为分析,也可能成为大规模资产发现和情报收集的入口,需重新评估公共端点的安全策略。
  • 身份生命周期管理至关重要:长期休眠账户(僵尸账户)可能被激活用于恶意目的,组织应定期清理不再使用的账户,并严格监控所有活跃账户的行为模式。
  • 从被动监控转向主动基线:传统的基于签名的检测难以应对此类混合在正常流量中的侦察行为,建立环境特定的行为基线(如User Agent分布)并结合主动狩猎是更有效的防御手段。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全