What's Happening?
Threat actors have been exploiting the GitHub API to conduct a mass reconnaissance campaign, as reported by Datadog. This activity involves the systematic enumeration of organizations, repositories, and user accounts using ghost accounts that were registered
two to five years ago but remained dormant. The campaign has been ongoing for several months and involves automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts. The GitHub API requests target publicly available data, blending with normal traffic, and in some cases, escalate to attackers cloning discovered repositories. The activity primarily uses user agents named to resemble data exfiltration or analytics tools, with most requests targeting GraphQL and some aimed at REST routes. Although the enumeration rarely results in meaningful access, it serves as reconnaissance, with some instances of successful data exfiltration from targeted organizations.
Why It's Important?
This campaign highlights significant vulnerabilities in the GitHub API that can be exploited for reconnaissance purposes. The ability to map organizations, their members, and accessed projects without authentication poses a risk to data security. Organizations using GitHub may face potential data breaches if attackers move beyond reconnaissance to exfiltrate sensitive information. The campaign underscores the importance of monitoring API traffic and implementing robust security measures to detect and prevent unauthorized access. The use of ghost accounts and automated tools in this campaign reflects evolving tactics in cyber threats, emphasizing the need for continuous vigilance and adaptation in cybersecurity strategies.
What's Next?
Organizations are advised to enhance their security measures by enabling GitHub audit log streaming, baselining user agents, and proactively hunting for threats. Developing unique detections tailored to specific GitHub environments can help identify unauthorized activities. Monitoring for anomalous user agent behavior and checking logs for unusual activity are crucial steps in mitigating the risk of data exfiltration. As threat actors continue to evolve their tactics, organizations must remain vigilant and adapt their security strategies to protect against potential breaches.













