AI Security AI安全 1d ago Updated 23h ago 更新于 23小时前 46

Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs 休眠GitHub账户帮助攻击者混入并映射企业组织

Threat actors are utilizing dormant "ghost" GitHub accounts and compromised Personal Access Tokens (PATs) to blend in with legitimate traffic while systematically mapping corporate organizations. Automated scraping tools leverage public API endpoints to enumerate repositories, user relationships, and organizational structures without triggering immediate security alerts. The campaign escalates from passive reconnaissance to active exploitation, with confirmed instances of attackers cloning priva Datadog Security Labs 发现多起重叠的网络攻击活动,攻击者利用休眠多年的 GitHub “幽灵”账户和泄露的个人访问令牌(PAT)进行系统性枚举。 攻击者通过自动化扫描工具伪装成正常 API 流量,针对公开组织、仓库及用户关系进行情报收集,以规避安全检测。 尽管多数活动仅涉及公共数据,但已有案例证实攻击者成功克隆了私有仓库,表明威胁已从侦察升级为实际入侵。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Threat actors are utilizing dormant "ghost" GitHub accounts and compromised Personal Access Tokens (PATs) to blend in with legitimate traffic while systematically mapping corporate organizations.
  • Automated scraping tools leverage public API endpoints to enumerate repositories, user relationships, and organizational structures without triggering immediate security alerts.
  • The campaign escalates from passive reconnaissance to active exploitation, with confirmed instances of attackers cloning private repositories after gathering sufficient intelligence.

Why It Matters

This highlights a critical vulnerability in how organizations monitor API usage and identity verification, demonstrating that volume and pattern analysis are essential for detecting sophisticated reconnaissance. It underscores the risk of relying solely on public data availability, as attackers can aggregate seemingly benign activities to build comprehensive attack maps of corporate infrastructure.

Technical Details

  • Account Weaponization: Attackers use over 50 dormant accounts created two to five years prior, leaving them inactive to avoid suspicion before activating them for coordinated API scraping.
  • Authentication Abuse: The campaigns combine unauthenticated requests to public endpoints with authenticated requests using stolen or exposed OAuth tokens and PATs from legitimate users.
  • Enumeration Scope: Tools iterate through public repositories, follower/following lists, gists, starred repositories, and run GraphQL queries against public objects to map organizational hierarchies.
  • Aggregated Anomaly Detection: While individual requests appear normal, the synchronized movement of multiple accounts across different organizations using versioned custom tooling indicates malicious intent.

Industry Insight

  • Organizations must implement behavioral analytics that detect coordinated activity across multiple identities rather than focusing solely on per-account rate limits or authentication failures.
  • Regular auditing of Personal Access Tokens and OAuth permissions is crucial to prevent compromised credentials from being leveraged for large-scale data exfiltration.
  • Security teams should treat public API enumeration as a high-risk reconnaissance phase and establish monitoring for sudden spikes in cross-organizational API calls from previously inactive sources.

TL;DR

  • Datadog Security Labs 发现多起重叠的网络攻击活动,攻击者利用休眠多年的 GitHub “幽灵”账户和泄露的个人访问令牌(PAT)进行系统性枚举。
  • 攻击者通过自动化扫描工具伪装成正常 API 流量,针对公开组织、仓库及用户关系进行情报收集,以规避安全检测。
  • 尽管多数活动仅涉及公共数据,但已有案例证实攻击者成功克隆了私有仓库,表明威胁已从侦察升级为实际入侵。

为什么值得看

该资讯揭示了攻击者如何利用长期休眠账户和合法令牌混淆视听,这对依赖 GitHub 进行代码协作的企业构成了隐蔽的供应链安全风险。它提醒安全团队需重新评估 API 监控策略,关注异常聚合行为而非单一请求,以防止大规模的组织架构测绘和数据泄露。

技术解析

  • 攻击基础设施:攻击者组合使用自动化扫描器、超过 50 个创建 2-5 年前且长期未活动的“幽灵”账户,以及数十个因意外暴露或被黑而泄露 PAT 的合法账户。
  • 隐蔽性策略:利用 GitHub API 中大量无需认证即可访问的公共端点(如列出公开仓库、遍历关注者列表、查询 Gists 等),使单个请求看起来像正常的用户行为,从而避开基于阈值的警报。
  • 数据枚举范围:攻击者通过版本化的自定义工具在数周内同步跨公司组织进行枚举,映射内容包括公共仓库、成员关系、修改的项目等,构建完整的组织技术栈画像。
  • 升级风险:一旦完成侦察,部分攻击者会停止枚举并转向克隆私有仓库,已有确认案例显示私有代码库已被成功获取。

行业启示

  • 强化令牌生命周期管理:企业应定期审计和轮换所有 GitHub Personal Access Tokens (PATs),并实施最小权限原则,防止令牌泄露后被用于长期潜伏的攻击。
  • 优化异常检测机制:传统的基于单点请求的安全监控可能失效,需部署能够识别“聚合异常”的行为分析系统,检测多个账户协同、长时间跨度内的同步枚举模式。
  • 重视休眠账户风险:不仅活跃账户需要监控,长期未使用的“僵尸”账户也应纳入安全管理范围,定期清理或禁用,避免其成为攻击者借用的跳板。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Open Source 开源 Research 科学研究