Security alert: new phishing campaign targets GitHub users

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Link – The threat actor uses phishing messages linked to a site impersonating legitimate services to harvest credentials and 2FA codes. “Clicking the link takes the user to a phishing site that looks like the GitHub login page but steals any credentials entered. For users with TOTP-based two-factor authentication (2FA) enabled, the phishing site also relays any TOTP codes to the threat actor and GitHub in real time”
• [T1136] Create Account – The threat actor may create GitHub personal access tokens, authorize OAuth apps, or add SSH keys to preserve access, potentially by manipulating accounts. “If a compromised account has organization management permissions, the threat actor may create new GitHub user accounts and add them to an organization in an effort to establish persistence.”
• [T1078] Valid Accounts – Stolen credentials enable ongoing access and actions across victim organizations and repos. “If the threat actor steals GitHub user account credentials, they may quickly create PATs… and add SSH keys to the account”
• [T1041] Exfiltration: Exfiltration Over Web Services/Information Repositories – The attacker downloads private repository contents accessible to the compromised user, including those owned by organization accounts. “the threat actor immediately downloads private repository contents accessible to the compromised user”
• [T1090] Proxy – The threat actor uses VPN or proxy providers to download private repository data via compromised user accounts. “The threat actor uses VPN or proxy providers to download private repository data via compromised user accounts.”
• [T1136] Create Account – Persistence via organization may involve creating new accounts and adding them to orgs. “If a compromised account has organization management permissions, the threat actor may create new GitHub user accounts and add them to an organization in an effort to establish persistence.”