Introduction: The ubiquity of GitHub, a widely used platform in IT environments, has attracted the attention of threat actors seeking to exploit its features for malicious purposes. GitHub's popularity makes it an attractive choice for hosting and delivering malicious payloads, acting as a command-and-control (C2) center, dead drop resolver, and even for data exfiltration. Recorded Future has termed this method as "living-off-trusted-sites" (LOTS), reflecting threat actors' ability to blend in with legitimate network traffic.
GitHub as a Malicious Infrastructure: GitHub's versatility allows threat actors to conduct various malicious activities while appearing innocuous. The use of GitHub for payload delivery, C2 obfuscation, and acting as a dead drop resolver are notable tactics employed by threat actors. While full-fledged C2 implementations on GitHub are less common, the platform's abuse as a dead drop resolver is prevalent, enabling threat actors to mask the true C2 URL effectively.
Instances of Abuse: Last month, ReversingLabs highlighted instances of rogue Python packages using secret gists on GitHub to receive malicious commands on compromised hosts. GitHub's role in data exfiltration, though less frequent, is recognized, often limited by concerns about file size, storage limitations, and discoverability. Beyond these tactics, GitHub Pages have been utilized for phishing and traffic redirection, showcasing threat actors' adaptability in exploiting legitimate features for malicious purposes.
Broader Trend of Abusing Legitimate Services: The exploitation of GitHub aligns with a broader trend where threat actors leverage legitimate internet services for malicious activities. Platforms like Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord, as well as other source code and version control platforms like GitLab, BitBucket, and Codeberg, have also been targeted. This trend underscores the challenge of distinguishing malicious activities from legitimate usage within such widely adopted services.
Challenges in Detection: Recorded Future acknowledges the difficulty in implementing a universal solution for detecting GitHub abuse. Instead, a combination of detection strategies tailored to specific environments is recommended. Factors such as the availability of logs, organizational structure, service usage patterns, and risk tolerance play a crucial role in developing effective strategies to identify and mitigate threats.
Conclusion: As threat actors continue to exploit trusted platforms for malicious purposes, defenders must stay vigilant and adopt proactive measures. GitHub's central role in software development makes it a prime target, necessitating robust detection strategies. The evolving landscape of cyber threats requires organizations to continually reassess and adapt their security protocols to safeguard against emerging tactics, such as the "living-off-trusted-sites" approach observed in the abuse of GitHub.
0 Comments