Full Report
How attackers are leveraging compromised employee GitHub Personal Access Tokens to compromise cloud environments.
Analysis Summary
# Tool/Technique: Compromised GitHub PAT leading to Cloud Control Plane Access
## Overview
Attackers are leveraging compromised GitHub Personal Access Tokens (PATs), often obtained through code exposure, to pivot from code repositories into victim cloud environments by abusing the trust established through GitHub Actions workflows.
## Technical Details
- Type: Technique/Access Vector
- Platform: GitHub, Cloud Service Providers (CSPs like AWS, Azure, GCP via established integrations)
- Capabilities: Discovery of secrets names, creation and execution of malicious workflows, retrieval of CSP secrets, lateral movement across cloud environments.
- First Seen: Implied to be a recently observed/growing trend reported in incidents investigated by Wiz CIRT (December 2025 context implies recent activity).
## MITRE ATT&CK Mapping
This summary focuses on the techniques observed in the exploitation chain:
- **TA0001 - Initial Access**
- T1155 - Compromise Software Supply Chain (Leveraging a legitimate artifact—a PAT—as initial access point).
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Cloud Instance Metadata Service API (Implied goal to retrieve credentials stored in environment/secrets)
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files (Discovery of secret *names* in YAML workflow files).
- **TA0010 - Exfiltration**
- T1119 - Automated Collection (Automating the harvesting of secrets via workflow execution logs).
## Functionality
### Core Capabilities
- **Secret Name Discovery:** Using GitHub API code search (`/search/code?q=org:$GH_ORG_NAME $%7B%7B%20secrets."`) with the PAT to locate variables names like `${{ secrets.SECRET_NAME }}` embedded in workflow YAML files, even with basic `read` permissions.
- **Malicious Workflow Execution:** If the PAT possesses `write` permissions, attackers create malicious workflows and pull requests to trigger arbitrary code execution.
- **Result Retrieval:** Execution results, including retrieved secrets, are exfiltrated via the GitHub Action run logs.
### Advanced Features
- **Origin Impersonation:** Malicious code execution originates from GitHub-managed resources (GitHub-hosted Actions), using legitimate, shared IP addresses, which significantly obscures the true source of the attack.
- **Self-Hosted Runner Risk:** If self-hosted runners are targeted, the action gains access to data residing on the runner host resource.
- **Bypassing Auditing:** Active secret discovery via the search API calls were observed as *not being logged* at the time of the report, making detection difficult.
## Indicators of Compromise
The article focuses on *behavioral* and *API usage* indicators rather than static file/network IoCs related to the PAT itself, as the PAT is the initial access key.
- File Hashes: N/A (Technique focused)
- File Names: N/A (Technique focused)
- Registry Keys: N/A
- Network Indicators:
- API Call Structure: `https://api.github.com/search/code?q=org:$GH_ORG_NAME+%24%7B%7B%20secrets."` (Defanged example of the search query used for discovery).
- GitHub Action Exit Nodes: Access originating from documented GitHub Action CIDR ranges.
- Behavioral Indicators:
- Unauthenticated (or low-privilege, token-authenticated) GitHub API calls using code search functionality targeted at finding the string `${{ secrets.` across an organization's repositories.
- Creation of new, suspicious GitHub Workflows (`.github/workflows/*.yml`) that execute arbitrary commands.
- Subsequent fetching of GitHub Action run logs to retrieve output/secrets.
## Associated Threat Actors
The report details incidents investigated by the Wiz Customer Incident Response Team (Wiz CIRT). No specific named threat group was attributed to these tactics within the provided text snippet.
## Detection Methods
- Signature-based detection: Not highly effective for the discovery phase as it uses legitimate GitHub API endpoints.
- Behavioral detection: Monitoring for unusual API usage patterns, specifically code search queries targeting secret syntax (`${{ secrets.`). Monitoring for new/modified workflows triggered by high-value tokens.
- YARA rules: Not applicable for API-based abuse.
## Mitigation Strategies
- **PAT Management:** Treat PATs as high-value secrets. Apply the principle of least privilege (limiting tokens to only necessary scopes, preferably read-only if possible).
- **Secret Security:** Manage CSP credentials stored in GitHub Action Secrets with extreme caution and risk awareness.
- **API Monitoring:** Work with GitHub support to ensure API search calls relevant to secret discovery are adequately logged for auditing purposes (as they were not at the time of the report).
- **Runner Security:** Secure the configuration of self-hosted runners to prevent excessive access to the host operating system or environment.
## Related Tools/Techniques
- GitLab PAT abuse (The underlying process is applicable to GitLab as well).
- Exploitation of pre-configured CI/CD trust relationships.