GitHub发出警告,称其用户正受到网络钓鱼攻击,攻击者假冒CircleCI DevOps平台发送欺诈邮件,诱导用户输入GitHub凭据和2FA代码。此攻击涉及多个受害组织,但使用硬件安全密钥的账户不受影响。GitHub已采取措施重置密码并通知受影响用户。建议用户使用抗钓鱼硬件安全密钥加强账户安全。
Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts
黑客使用虚假的 CircleCI 通知来破解 GitHub 帐户
September 23, 2022
2022 年 9 月 23 日
Ravie Lakshmanan
拉维·拉克什马南
GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform.
GitHub 发布了一份公告,详细说明了可能正在进行的网络钓鱼活动,目标是其用户通过冒充 CircleCI DevOps 平台来窃取凭据和两因素身份验证 (2FA) 代码。
The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted “many victim organizations.”
微软旗下的代码托管服务公司表示,它于 2022 年 9 月 16 日获悉此次攻击,并补充说该活动影响了“许多受害组织”。
The fraudulent messages claim to notify users that their CircleCI sessions have expired and that they should log in using GitHub credentials by clicking on a link.
欺诈性消息声称通知用户他们的 CircleCI 会话已过期,并且他们应该通过单击链接使用 GitHub 凭据登录。
Another bogus email revealed by CircleCI prompts users to sign in to their GitHub accounts to accept the company’s new Terms of Use and Privacy Policy by following the link embedded in the message.
CircleCI 披露的另一封虚假电子邮件提示用户通过邮件中嵌入的链接登录他们的 GitHub 帐户以接受公司的新使用条款和隐私政策。
Regardless of the lure, doing so redirects the target to a lookalike GitHub login page designed to steal and exfiltrate the entered credentials as well as the Time-based One Time Password (TOTP) codes in real-time to the attacker, effectively allowing a 2FA bypass.
无论诱饵如何,这样做都会将目标重定向到一个相似的 GitHub 登录页面,该页面旨在实时窃取和泄露输入的凭据以及基于时间的一次性密码 (TOTP) 代码给攻击者,从而有效地允许 2FA旁路。
“Accounts protected by hardware security keys are not vulnerable to this attack,” GitHub’s Alexis Wales said.
“受硬件安全密钥保护的账户不易受到这种攻击,”GitHub 的 Alexis Wales说。
Among other tactics embraced by the threat actor upon gaining unauthorized access to the user account include creating GitHub personal access tokens (PATs), authorizing OAuth applications, or adding SSH keys to maintain access even after a password change.
威胁者在未经授权访问用户帐户时采用的其他策略包括创建 GitHub 个人访问令牌 (PAT)、授权 OAuth 应用程序或添加 SSH 密钥以即使在密码更改后也能保持访问权限。
The attacker has also been spotted downloading private repository contents, and even creating and adding new GitHub accounts to an organization should the compromised account have organization management permissions.
还发现攻击者下载私有存储库内容,甚至在受感染的帐户具有组织管理权限的情况下创建新的 GitHub 帐户并将其添加到组织中。
GitHub said it has taken steps to reset passwords and remove maliciously-added credentials for impacted users, alongside notifying those affected and suspending the actor-controlled accounts. It did not disclose the scale of the attack.
GitHub 表示,它已采取措施为受影响的用户重置密码并删除恶意添加的凭据,同时通知受影响的用户并暂停参与者控制的帐户。它没有透露攻击的规模。
The company is further urging organizations to consider using phishing-resistant hardware security keys to prevent such attacks.
该公司进一步敦促组织考虑使用抗网络钓鱼的硬件安全密钥来防止此类攻击。
The latest phishing attack comes a little over five months after GitHub suffered a highly targeted campaign that resulted in the abuse of third-party OAuth user tokens maintained by Heroku and Travis CI to download private repositories.
最新的网络钓鱼攻击发生在 GitHub遭受高度针对性的活动之后五个多月,该活动导致 Heroku 和 Travis CI 维护的第三方 OAuth 用户令牌被滥用以下载私人存储库。
扫一扫
8万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
