The ubiquity of GitHub in info expertise (IT) environments has made it a profitable alternative for menace actors to host and ship malicious payloads and act as lifeless drop resolvers, command-and-control, and information exfiltration factors.
“Utilizing GitHub companies for malicious infrastructure permits adversaries to mix in with authentic community visitors, usually bypassing conventional safety defenses and making upstream infrastructure monitoring and actor attribution harder,” Recorded Future stated in a report shared with The Hacker Information.
The cybersecurity agency described the method as “living-off-trusted-sites” (LOTS), a spin on the living-off-the-land (LotL) methods usually adopted by menace actors to hide rogue exercise and fly beneath the radar.
Distinguished among the many strategies by which GitHub is abused pertains to payload supply, with some actors leveraging its options for command-and-control (C2) obfuscation. Final month, ReversingLabs detailed a lot of rogue Python packages that relied on a secret gist hosted on GitHub to obtain malicious instructions on the compromised hosts.
Whereas full-fledged C2 implementations in GitHub are unusual compared to different infrastructure schemes, its use by menace actors as a lifeless drop resolver – whereby the knowledge from an actor-controlled GitHub repository is used to acquire the precise C2 URL – is much more prevalent, as evidenced within the case of malware like Drokbk and ShellBox.
Additionally not often noticed is the abuse of GitHub for information exfiltration, which, per Recorded Future, is probably going on account of file measurement and storage limitations and considerations round discoverability.
Exterior of those 4 fundamental schemes, the platform’s choices are put to make use of in numerous different methods to be able to meet infrastructure-related functions. As an illustration, GitHub Pages have been used as phishing hosts or visitors redirectors, with some campaigns using a GitHub repository as a backup C2 channel.
The event speaks to the broader development of authentic web companies resembling Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord being exploited by menace actors. This additionally contains different supply code and model management platforms like GitLab, BitBucket, and Codeberg.
“There isn’t any common resolution for GitHub abuse detection,” the corporate stated. “A mixture of detection methods is required, influenced by particular environments and components resembling the provision of logs, organizational construction, service utilization patterns, and threat tolerance, amongst others.”
