GitHub has issued an urgent warning to users of its Desktop for Mac and Atom text editor applications after an unauthorised actor broke into its systems and stole two encrypted DigiCert code-signing certificates used for Windows and one Apple Developer ID certificate, which could potentially have given them access to some of its development and release planning repositories.
GitHub apparently became aware of the attack on 7 December 2022, but has waited almost two months to go public pending a thorough investigation, which has found “no risk” to GitHub services as a result, and no unauthorised changes made.
“On 6 December 2022, repositories from our Atom, Desktop and other deprecated GitHub-owned organisations were cloned by a compromised personal access token (PAT) associated with a machine account,” the organisation said in a statement.
“Once detected on 7 December 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.
“However, several encrypted code-signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. We have no evidence that the threat actor was able to decrypt or use these certificates.”
As such, Mac users of Desktop versions 3.1.2, 3.1.1, 3.1.0, 3.0.8, 3.0.7, 3.0.6, 3.0.5, 3.0.4, 3.0.3 and 3.0.2 must update by 2 February 2023 – there is no impact to Windows users. Meanwhile, versions 1.63.1 and 1.63.0 of Atom will also stop working on 2 February – to keep using it, users will need to roll back to a previous version.
By this point, said GitHub, both of the DigiCert certificates will have expired and as such could not have been used to sign code anyway, but the Apple certificate retains validity through 2027, so GitHub has been working with Apple to monitor any executables signed with it until it is revoked.
Code-signing certificates such as the three stolen in December are important because they prove that code was written by a listed author. While their theft does not put existing installations of Desktop and Atom at risk, if the thief was able to decrypt them, they could start to sign their own applications – such as malware – with these certificates and make out that they were official GitHub applications.
“The security and trustworthiness of GitHub and the broader developer ecosystem is our highest priority. We recommend users take action on the above recommendations to continue using GitHub Desktop and Atom,” said the organisation.
Kevin Bocek, vice-president of security strategy and threat intelligence at machine identity management specialist Venafi, commented: “GitHub is hugely valuable for developers: over 100 million developers use the platform, and the Fortune 500 and every major software developer from Microsoft to Google rely on it. It’s no surprise that it’s become a focus point for attackers too.
“In the wrong hands, these machine identities could be used to pose as trusted, enabling an attacker to sign and send malicious content that will be authenticated by other machines as coming from GitHub. This is the powerful weapon that can enable supply chain attacks on other software developers and unknown possible subsequent (or past) attacks.”
Bocek said GitHub’s experience demonstrated how easily and unwittingly fast-moving engineering teams can open up new opportunities for attack, and stressed that this incident in particular showed how machine identity management is becoming a must-have.
“Code-signing machine identities can’t be left unguarded with constant observability and control; the ability to rapidly find and reissue machine identities is impossible to do manually,” he said.
“To protect against events such as these, which are becoming increasingly common, security engineering teams must deploy a control plane for automating machine identity management. By doing so, they continuously protect machine identities from theft and avoid manual rotation, replacement and revocation that slows down engineering teams and leads to shortcuts that create breaches.”
Sectigo senior vice-president Jason Soroko added: “Automation of certificate lifecycle management – including revocation – is key. Executives lack the visibility to properly govern certificates in their enterprise. When certificates are managed and configured manually, they can slip through the cracks, leaving enterprises vulnerable to outages or cyber attacks. An automated certificate lifecycle management (CLM) platform ensures certificates are renewed or revoked when they need to be, avoiding loss of revenue and reputation.”