Code repository leaks

Overview

In late 2022 and early 2023, organisations including Okta, Atom and Slack became victims to instances of code repository breaches via their respective GitHub accounts. In each instance, both Okta and Slack stated that the breaches only impacted a limited number of code repositories and that no customer data was compromised.

In August 2022, LastPass reported a similar breach resulting in the loss of code repositories. At the time, LastPass reported that no customer data was lost as a result of the attack and that no further action was required. However, in December 2022, LastPass reported that code stolen in the initial attack had been exploited by an unknown threat actor to gain initial access to their cloud-based storage services. Reported by their CEO, Karim Toubba, these storage services, “contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service”.

Impact

Drawing a comparison to SolarWinds Orion platform that was notoriously compromised in December 2020, all three organisations that were recently compromised appear to be lucrative targets for threat actors. When exploited, there remains the potential to allow a threat actor to laterally move into third-party environments, thereby causing significant security ramifications. Whilst this worst-case scenario is a hypothesis at the present time, there is a realistic possibility that a well-resourced threat actor, with enough time, may be able to detect exploitable weaknesses within the code to further their goals of significant compromise.

Affected Organisations

– Slack
– Okta
– Atom
– LastPass
– GoTo (formerly LogMeIn)

Containment, Mitigations & Remediations

Based on the information presented, it is recommended that organisations using the platforms mentioned above implement the relevant security measures, where possible, to reduce the damage caused by potential future attacks. General steps to follow include:

– Issuing of password changes to those who use compromised services
– Implementation of multi-factor authentication (MFA)
– Configuration of administrator permissions within the context of the principle of least privilege.

More specifically, it is recommended that users refer to the security advisories released by the associated vendors for further details. These advisories have been outlined below:

Atom Advisory
LastPass Advisory
Slack Advisory
Okta Advisory

Indicators of Compromise

No specific Indicators of Compromise (IoC) are available at this time.

Threat Landscape

The reported trends indicate that the same threat actor or threat groups were involved in both LastPass compromises, and the goal of the initial attack was to provide a foothold for future campaigns. Despite the reported minimal impact of the attacks against both Okta and Slack, the most recent LastPass incident has highlighted the potential for further exploitation.

Based on the prolonged time period between LastPass breaches, the threat actor behind the attack seems to be prepared to invest considerable resources in the search of exploitable vulnerabilities within the code repositories. Furthermore, due to the similar behaviour between all three reported instances, there is a realistic possibility that they share the same threat actor or that the threat actors involved are collaborating in their attack efforts.

Threat Group

Although significant threat actor trends have been documented, no attribution to specific threat actors or groups have been identified as being associated, with the code repository breaches reported on, at the time of writing.

Mitre Methodologies

Initial Access:

T1078.004 – Valid Accounts: Cloud Accounts
T1133– External Remote Services

Persistence:

T1078 – Valid Accounts

Credential Access:

T1003 – OS Credential Dumping
T1110 – Brute Force
T1555 – Credentials from Password Stores

Further Information

Ars Technica Article
Tech Crunch Article
Slack Press Release
Ghacks Article
LastPass Blog