GitHub IP allow list modified
Description
AlphaSOC detected that a GitHub IP allow list was modified. GitHub IP allow list controls which IP addresses can access an organization's resources. Threat actors may modify it to bypass security controls that restrict access based on IP addresses.
Impact
Modification of IP allow lists can enable unauthorized access to sensitive repositories and organizational resources within GitHub environment. This can lead to data exfiltration, code tampering, potential blocking of access to the system for legitimate users, or other malicious activities.
Severity
| Severity | Condition |
|---|---|
Low | GitHub IP allow list modified |
Investigation and Remediation
Review GitHub audit logs to identify who made the IP allow list changes and verify whether these modifications were authorized. If unauthorized, revert the IP allow list to its previous state, rotate credentials for potentially compromised accounts, and conduct a thorough security audit for other signs of potential compromise.