GitHub: Hackers Breached Multiple Orgs Using Stolen OAuth User Tokens
Read also: the US blames North Korea’s Lazarus Group for the $620M Axie Infinity hack, Beanstalk Farm suffers $182 million financial losses due to a cyber-attack, and more.
Thursday, April 21, 2022
GitHub discloses a supply chain attack involving stolen OAuth user tokens
Cloud-based repository hosting service GitHub disclosed a security incident, in which malicious actors compromised dozens of organizations using stolen OAuth user tokens.
The breach was discovered on April 12, when GitHub’s security team uncovered evidence that an attacker used stolen OAuth user tokens issued to third-party OAuth integrators Heroku and Travis-CI to download private repositories from multiple organizations, including NPM, that were using Heroku and Travis-CI apps.
The company said that it found no evidence that these tokens were obtained from its systems, as “the tokens in question are not stored by GitHub in their original, usable formats.” GitHub said it has notified all affected customers of the breach.
Following the incident Travis CI and Heroku released their statements regarding the situation. Travis CI said that after learning about the breach it immediately revoked all authorization keys and tokens preventing any further access to its systems. The company revealed that the attacker breached a Heroku service and accessed a private app OAuth key used to integrate the Heroku and Travis CI application. It added that customers' repositories or data were not impacted in the incident.
US blames North Korea’s Lazarus Group for the $620M Axie Infinity hack
The FBI confirmed that Lazarus Group, a North Korea-linked state-sponsored hacker group was behind the March 2022 theft of nearly $620 million from the Ronin network used for the Axie Infinity blockchain-based game. The heist, dubbed the Ronin Validator Security Breach, is one of the largest cryptocurrency thefts to date.
In parallel, the US Treasury Department imposed sanctions against the hacker group and tied it to the heist through the Ethereum address that received stolen funds and was identified as belonging to Lazarus.
The US State Department has offered a reward of up to $5 million for information about North Korea’s cyber operations.
Earlier this week, the US authorities warned that North Korean hackers, namely Lazarus Group, have been targeting cryptocurrency industry with trojanized cryptocurrency apps since at least 2020.
Beanstalk Farm DeFi project suffers $182M financial losses due to a flash loan attack
Credit-based stablecoin protocol Beanstalk Farms suffered a $182 million loss following a flash loan attack, which took place over the weekend. The hack abused Beanstalk’s majority vote governance system and exploited a weakness (the lack of an anti-flashloan mechanism) in the Beanstalk protocol.
Blockchain analytics company PeckShield, which first discovered the intrusion, noted that the hackers stole over 24,000 in Ethereum and 36 million in Bean (Beanstalk stablecoin). Researchers estimate that the attackers netted $80 million.
Meanwhile, Beanstalk said that around $76 million was stolen from the protocol’s liquidity pools. The company also offered the hackers behind the attack to keep 10% of stolen funds as a “Whitehat bounty” if they return 90% of stolen assets.
UK officials, Catalan politicians targeted with Pegasus spyware
Digital rights watchdog group Citizen Lab disclosed two separate espionage campaigns that leveraged the Pegasus spyware developed by Israeli tech company NSO Group. The first campaign affected official UK government networks, including the prime minister’s office and foreign ministry, while the other targeted at least 63 Catalan individuals, including Members of the European Parliament (MEPs), presidents, legislators, jurists, and journalists.
In case of UK officials the suspected infections, which occurred in 2020 and 2021, were associated with Pegasus operators linked to the UAE, India, Cyprus and Jordan.
The spyware attacks targeting Catalan individuals took place between 2017 and 2020 and leveraged a previously undisclosed iOS zero-click exploit, dubbed “Homage” by Citizen Lab. The exploit affects devices running iOS versions before 13.2. The researchers said they found no evidence that Homage is effective against the latest versions of iOS operating system.
Five Eyes alliance warns of risk of Russian cyber-attacks against critical infrastructure
Five Eyes cybersecurity authorities issued a joint security alert urging critical infrastructure network defenders to prepare for cyber threats coming from Russia, as the country’s government is exploring options for potential cyber-attacks against Western nations as part of its ongoing war against Ukraine.
The security advisory highlights tactics, techniques, and procedures (TTPs) used by the Russian state-sponsored hacker groups (APT28, APT29, Sandworm and others) in their cyber operations. The agencies also warned that several cybercrime groups have publicly pledged support to the Russian government threatening to conduct cyber-attacks in retaliation for perceived cyber offensives against Russia or materiel support for Ukraine.
Due to an increased risk of Russian cyber-attacks critical infrastructure network defenders are strongly advised to prepare for destructive malware, ransomware, distributed denial of service attacks, and cyber espionage operations.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Subscribe to newsletter to get the next post automatically
- Explore 18 use cases how ImmuniWeb can help
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
