Code-Signing Certificate Theft

10952854294?profile=RESIZE_400xGitHub states that hackers gained access to its code repositories and stole code-signing certificates for two of its desktop apps: Desktop and Atom.  Although attackers exfiltrated a set of encrypted code-signing certificates, these were password-protected, so there is no possibility of malicious use.

GitHub revealed that on 7 December 2022, hackers gained unauthorized access to several of its code repositories and stolen code-signing certificates for two of its desktop apps: Atom and Desktop.  The repositories were used in the planning and development of these applications.

A further probe led to the conclusion that GitHub’s services were not at risk, and no unauthorized changes were made to these projects.  Although attackers exfiltrated a set of encrypted code-signing certificates, these were password-protected, so there is no possibility of malicious use.

The repositories were cloned one day prior by a compromised PAT (personal access token) associated with a machine account. GitHub did not reveal how the token was breached.  GitHub stated in a blog post:  “Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows.  We have no evidence that the threat actor was able to decrypt or use these certificates.”

GitHub has decided to revoke the exposed certificates used for Atom and Desktop applications.  The revocations will be effective this Thursday and prevent some impacted versions of these apps from working.  Revoking these certificates will render some versions of GitHub Desktop for Mac and Atom invalid; however, current versions of Desktop and Atom are unaffected by this theft.

For your information, code-signing certificates place a cryptographic stamp on the code to verify that the enlisted organization, i.e., GitHub, has developed it.  If it gets decrypted, the certificates will allow an attacker to sign the app’s unofficial version, which has already been tampered with and pass them off as official updates from GitHub.

Affected apps include the following versions of GitHub Desktop for Mac:

  • 1.2
  • 1.1
  • 1.0
  • 0.8
  • 0.7
  • 0.6
  • 0.5
  • 0.4
  • 0.3
  • 0.2

 The following versions of GitHub Atom have been affected.

  • 63.1
  • 63.0

It is worth noting that GitHub Desktop for Windows is not affected by this credential theft.  On 4 January 2023, GitHub published a new version of its Desktop app, which was signed with new certificates that weren’t exposed to the attacker(s).  GitHub Desktop users should upgrade to the latest version.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

Source: https://www.hackread.com/github-code-signing-certificate-breach/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!