EXECUTIVE SUMMARY
A coordinated automated supply chain attack, codenamed Megalodon, has targeted GitHub repositories, compromising over 5,500 repositories in less than six hours. The attackers, using throwaway accounts with randomized usernames, forged author identities and pushed malicious CI/CD backdoors to repositories. The campaign's goal is data theft, using the backdoors to steal sensitive information, including cloud credentials, API keys, and SSH private keys. The attackers' ultimate goal is to disrupt organisations by leveraging stolen credentials to grant access to cloud resources, allowing further exploitation and data theft.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A coordinated automated supply chain attack, codenamed Megalodon, has targeted GitHub repositories, compromising over 5,500 repositories in less than six hours. The attackers, using throwaway accounts with randomized usernames, forged author identities and pushed malicious CI/CD backdoors to repositories. The campaign's goal is data theft, using the backdoors to steal sensitive information, including cloud credentials, API keys, and SSH private keys. The attackers' ultimate goal is to disrupt organisations by leveraging stolen credentials to grant access to cloud resources, allowing further exploitation and data theft.[emaillocker id="1283"]
The malware infects systems through GitHub Actions, a service used to automate software builds and deployments. The attackers inject malicious workflow files, which are triggered by every push and pull request. The backdoors are designed to be stealthy, requesting elevated permissions and producing zero visible CI runs. Once triggered, the base64-encoded bash payload conducts aggressive credential harvesting, targeting AWS, GCP, Azure, and other cloud services.
The attackers maintain control by using a C2 server to receive stolen credentials and other sensitive information. The attack chain from infection to impact is designed to be seamless, with the attackers using a combination of social engineering and technical exploitation to achieve their goals. The Megalodon attack is significant because it highlights the ease with which attackers can compromise supply chains and steal sensitive information. The attack is particularly difficult to detect because it uses legitimate GitHub Actions workflows, making it challenging to distinguish between legitimate and malicious activity. Organisations should take immediate action to protect themselves, including auditing all .github/workflows/ files, rotating sensitive secrets, and implementing workflow approval gates for pull requests. By taking these steps, organisations can reduce the risk of a similar attack and protect their sensitive information.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Persistence | T1136.003 | Create Account | Cloud Account |
| Defense Evasion | T1036.001 | Masquerading | Invalid Code Signature |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1083 | File and Directory Discovery | — |
REFERENCES:
The reports contain further technical details:
https://cybersecuritynews.com/megalodon-malware-github-repos/