Checkmarx Post-Data Breach Security Remediation and GitHub Hardening Guide

Introduction

Checkmarx is aware that data stolen from private GitHub repositories by LAPSUS$ threat actors confirmed that it was leaked. This incident once again demonstrated how critical software supply chain security and source code protection are. This article discusses from a technical perspective the steps that should be taken in the event of a similar leak or to improve overall GitHub security.

Problem Description

Threat actors often infiltrate private repositories through credential theft or poor access management. Leaked data usually includes API keys, certificates, database connection strings and configuration files. Disclosure of this data may pave the way for the takeover of systems or a larger-scale attack.

Solution Steps

1. Revoke Access Tokens (Tokens): Immediately revoke all Personal Access Token (PAT) and SSH keys defined on GitHub.
2. Rotate Credentials: All database passwords, API passwords included in the code. modify keys and secrets.
3. Audit Logs: Check for suspicious IP addresses and access times via GitHub 'Audit Log'.
4. Enforce Two-Factor Authentication (2FA): Enforce 2FA for all users in your organization.

Commands and Security Controls

You can use the following commands to list and manage your existing access keys using the GitHub CLI:

# List existing SSH keys
gh ssh-key list

# To delete a suspicious key
gh ssh-key delete [KEY_ID]

# To check GitHub Audit Log
gh api /orgs/{org}/audit-log

Warning: You may need to clear past commit history using tools like 'git-filter-repo' to clean hidden data in your codebase. Just making a new commit will not delete the data from the history.

Preventive Measures

To prevent future leaks, enable the 'Secret Scanning' feature and use tools that scan for hard-coded data in the code. Additionally, restrict user access according to the principle of 'Least Privilege'.