ASD alerts about targeting of online code repositories

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has released a high-status alert around the increased targeting of online code repositories.

According to the alert, threat actors have been observed gaining access to online code repositories through phishing/vishing; social engineering; compromised credentials; compromised authentication tokens; and infected software packages.

Once threat actors have gained access to privileged systems and accounts, the ASD’s ACSC said a number of activities have been performed.

These include running open-source tools to scan for cryptographic secrets, passwords and sensitive keys stored in online code repositories; extracting and leaking identified credentials publicly; migrating private repositories to public repositories; modifying public packages to initiate supply-chain compromises.

Threat actors have been observed abusing legitimate tooling and functions to achieve these results, rather than bespoke tooling.

"The risk of exposed code bases can allow actors a better understanding of internal processes and systems, increasing an organisation’s attack surface and enabling future, novel attacks," the alert advised.

Avocado Consulting urges action

Avocado Consulting's Dennis Baltazar, principal of cloud and DevSecOps solutions urged Australian organisations to take practical steps to harden their software supply chains.

“Code repositories are under active attack,” he said.

“What’s significant here, is not just attacker capability but attacker tradecraft. This wave of repository targeting blends social engineering living-off-the-land (LOTL) techniques - abusing legitimate tools and workflows so malicious activity looks like business as usual.

"Attackers don’t need bespoke malware when pipelines are already paved for them."

Baltazar says that secrets sprawl - scattered secrets across multiple vaults and tools - is a key risk, advising immediate audits to identify and remediate unmanaged privileged and non-human accounts before they become pathways to lateral movement.

In response to the alert, Avocado recommends eliminating secrets from code and pipelines: making secret detection and push-protection default; rotating tokens; enforcing short-lived, scoped credentials; and validating every dependency by default via pin versions and integrity hashes, checking provenance, and blocking unverified sources in CI/CD.

Avocado also recommended observing the SDLC like production by baselining normal developer/CI/CD activity and alerting on anomalies to detect living-off-the-land (LOTL) tactics early.

“Leaders should ask two questions today: Do we know where secrets and privileged access still live in code, pipelines and SaaS integrations - and how fast can we rotate or remove them? And do we measure dependency integrity and anomalous pipeline behaviour with the same rigour we apply to production systems?” Baltazar said.

He said if these core questions are not understood and actioned, organisations may be at risk.

“Your code is more than just code - it’s your identity, your infrastructure, your business – it accesses your critical data," he said.

"Organisations should treat it like any other valuable asset by ensuring it is protected from vulnerabilities.

“The risks of not taking action are exposure of cryptographic keys and passwords; cloud-infrastructure compromise; identity theft and privilege escalation; and long-term reputational and operational damage.

“Good security teams rotate secrets; great teams eradicate them from code, instrument their pipelines, and catch abuse in runtime before it becomes an incident."