Ghost Accounts Abuse GitHub API in Mass Recon Campaign
Threat actors are abusing the GitHub API to systematically enumerate organizations, repositories, and user accounts, Datadog reports.
Spanning multiple overlapping campaigns, the activity has been ongoing for several months, relying on ghost accounts that were registered two to five years ago but left dormant.
The activity, Datadog says, involves automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.
While the observed GitHub API requests are targeting publicly available data, blending with normal traffic, the continuous activity that in some cases escalated to the attackers cloning discovered repositories raises concern.
“A large share of GitHub’s API surface is reachable without authentication. Listing an organization’s public repositories, walking a user’s followers and following lists, enumerating gists, starred repos, and org memberships, and running GraphQL queries against public objects all return data,” Datadog explains.
Requests against these public paths generate HTTP 200 responses and no authentication failure signals....
Copyright of this story solely belongs to securityweek.com. To see the full text click HERE