GitHub SSH key added by suspicious IP address
Description
AlphaSOC detected that an SSH key was added to a GitHub account from a suspicious IP address. Threat actors may add SSH keys to establish persistent access to repositories, enabling them to exfiltrate source code, inject malicious code, or access sensitive information stored in private repositories.
Impact
Addition of unauthorized SSH keys to GitHub accounts from suspicious IP addresses indicates potential compromise of the account. This may result in intellectual property theft, unauthorized code modifications, data exfiltration, or other malicious activities.
Severity
| Severity | Condition |
|---|---|
High | GitHub SSH key added by suspicious IP address |
Investigation and Remediation
Examine GitHub audit logs to determine who added the SSH key and confirm whether this action was authorized. If unauthorized, revoke the suspicious SSH key and reset any secrets or credentials that may have been compromised. Conduct a comprehensive security audit of the environment to identify signs of compromise, focusing on all activities performed using the key, including repository access patterns, code commits, and configuration modifications. Additionally, consider implementing IP allowlisting policies to block future unauthorized access attempts from suspicious IP addresses.