Coordinated GitHub API enumeration and access token abuse

Coordinated GitHub API enumeration and access token abuse
Datadog Security Research observed overlapping campaigns abusing the GitHub API to enumerate organizations, repositories, and user accounts using ghost accounts, compromised OAuth tokens, and personal access tokens. In rare cases, the activity moved beyond reconnaissance to confirmed private repository access and cloning, with indicators tied to suspicious user agents and hosting on 3xK Tech and cherryservers. #GitHub #GhostAccounts #GitHub-Commit-Fetcher #repo-dumper #3xKTech #cherryservers

Keypoints

  • Datadog tracked sustained GitHub API abuse aimed at mapping organizations, members, repositories, and related public data.
  • The activity was carried out by a mix of custom scraper tools, stolen credentials, and coordinated networks of dormant “ghost” accounts.
  • More than 50 ghost accounts were confirmed, with naming patterns such as amazon-data-*, BirdWithDreams, BirdWithPlan, and the *-orb family.
  • Attackers used user agents that mimicked legitimate tools or data-analysis traffic, including GitHub-Company-Scraper, GitHub-Scraper-Tool/1.0, and GitHubAnalytics/1.5.
  • One campaign used compromised OAuth tokens and PATs with a versioned set of user agents, and it targeted private repository commit paths.
  • In at least one case, repo-dumper succeeded in accessing a private repository, with audit logs showing git.clone and api.request activity.
  • Defenders are advised to hunt for anomalous user agents, token types, source ASN, and private-resource access in GitHub audit logs.

MITRE Techniques

  • [T1593.001 ] Gather Victim Identity Information: Social Media – The actors enumerated GitHub organizations and user relationships to map members and connections (‘listing an organization’s public repositories, walking a user’s followers and following lists’).
  • [T1590.005 ] Gather Victim Network Information: IP Addresses – The article notes source ASN/IP-related hunting as a detection field and private-resource access logs that capture the IP address (‘watching the right fields, such as user agent, token type, source ASN’).
  • [T1213 ] Data from Information Repositories – The campaigns scraped public repositories, gists, starred repos, org memberships, and GraphQL objects to collect data (‘enumerating organizations, repositories, and user accounts through the GitHub API’).
  • [T1078.004 ] Valid Accounts: Cloud Accounts – Attackers abused compromised OAuth tokens and PATs from legitimate GitHub users to authenticate (‘using stolen tokens across a versioned progression of user agents’).
  • [T1114 ] Email Collection – Not mentioned.
  • [T1539 ] Steal Web Session Cookie – Not mentioned.
  • [T1105 ] Ingress Tool Transfer – The user agent repo-dumper and git.clone behavior indicate tooling used to retrieve private repository content (‘repo-dumper successfully took actions inside a private repository’).
  • [T1567.002 ] Exfiltration to Cloud Storage – The article describes exfiltration from private repos via git.clone/api.request, but no cloud storage destination is specified (‘the audit log captured the exfiltration through a mix of git.clone and api.request events’).

Indicators of Compromise

  • [User agent ] Suspicious scraping and fetch tooling used for GitHub enumeration – gha-injection-scanner/1.0, GitHub-Commit-Fetcher/1.4, and other N versions
  • [User agent ] Legitimate-sounding blending user agents observed in API traffic – GitHubAnalytics/1.5, GitHubDashboard/1.8, and other dashboard/insights variants
  • [User agent ] Private-repository access tooling – repo-dumper, githarvester/1.0, and GitHub-Repo-Crawler/1.0
  • [Hosting provider ] Infrastructure associated with the campaigns – 3xktech[.]cloud, cherryservers[.]com
  • [Route ] Public org/user enumeration endpoints – /graphql, /organizations/:organization_id/repos, and other user/org listing routes
  • [Access token type ] Compromised credentials used in authenticated requests – OAuth tokens, Personal access token (classic), and Fine-grained personal access token
  • [Actor/account naming ] Ghost account families used in scraping – amazon-data-*, BirdWithDreams, and the *-orb family


Read more: https://securitylabs.datadoghq.com/articles/coordinated-github-api-enumeration/