Still need further proof that machine identities are key targets for cybercriminals? Look no further than the recent breach at GitHub that exposed the contents of various source code repositories. In the hack, attackers used a pre-generated access code to gain access to code signing certificates for its Desktop and Atom applications. Because of the legitimacy that they imply, code signing certificates are extremely valuable to threat actors.
Fortunately, GitHub appears to have detected the breach just a day after it happened. So, they were able to take corrective action quickly, but not before the damage had been done.
According to the GitHub blog, “On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account. Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems.”
Why is this such a bit deal? GitHub is a hugely valuable for developers: over 100 million developers using the platform with the Fortune 500 and every major software developer from Microsoft to Google relying on it. “It’s no surprise that it’s become a focus point for attackers too,” notes Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “Unknown threat actors have stolen code-signing machine identities after gaining access to some of its development and release planning repositories. This enables attackers to masquerade their software as coming from GitHub.”
In the wrong hands, these machine identities could be used to pose as trusted, enabling an attacker to sign and send malicious content that will be authenticated by other machines as coming from GitHub. This is the powerful weapon that can enable supply chain attacks on other software developers and unknown possible subsequent (or past) attacks.
In the case of GitHub, greater damage may have been averted. But an infiltration of this type still seems too close for comfort. As we have seen before, even the simplest of mistakes can have catastrophic impact. GitHub revealed some details of the attack, "A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected and we have no evidence of malicious use. As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom.”
As an industry, we need to have much more discipline around how we store, manage and protect the machine identities that safeguard machine-to-machine connections and communications, especially in cloud native development environments. Unfortunately, the stolen GitHub code signing certificate is just one more example of how engineering teams moving fast can create new opportunity for attack.
Machine identity management is now longer optional. Bocek warns, “Code signing machine identities can’t be left unguarded with constant observability and control. The ability to rapidly find and reissue machine identities is impossible to do manually. To protect against events such as these, which are becoming increasingly common, security engineering teams must deploy a control plane for automating machine identity management.” By continuously protecting machine identities from theft, security teams can proactively avoid manual rotation, replacement, and revocation processes that slow down engineering teams. And this, in turn, will encourage developers and leads to avoid shortcuts that create breaches.