Cybercrime , Fraud Management & Cybercrime

Attackers' GitHub Abuse Poses Growing Risk, Researchers Warn

Cybersecurity Researchers Detail Defenses Against Attackers Abusing Cloud Services
Attackers' GitHub Abuse Poses Growing Risk, Researchers Warn
Hackers disguise their activities through legitimate online services, like wolves who appear in sheep's clothing. (Image: Getty Images)

One mounting challenge posed by hackers comes from their illegitimate use of code repository GitHub - yet another example of how malicious actors corrupt legitimate internet services to deliver malware, run command-and-control networks and handle exfiltrated data.

See Also: Check Kiting In The Digital Age

Owned by Microsoft, GitHub is an online developer platform that uses Git software to run software development - including version control - tools used by approximately 100 million developers.

The illicit use of GitHub by malware groups and other attackers of various stripes - including advanced persistent threat and nation-state groups - seems set to increase, especially as attackers grow more familiar with abusing the platform's various services, warns a report from Recorded Future.

In an emailed response, a GitHub spokesperson said it employs teams dedicated to removing content that violates its acceptable use policies. "We employ manual reviews and at-scale detections that use machine learning and continue to evolve and adapt against adversarial tactics," the spokesperson added.*

The top illicit use cases for GitHub are to deliver malicious payloads to endpoints, function as a dead drop resolver - using posted content to redirect victims from legitimate to illegitimate sites, serve as a C2 network to control infected endpoints, and exfiltrate data.

Other lesser-used malicious tactics include "hosting phishing operations, acting as fallback channels and serving as an infection vector through repository poisoning techniques."

Numerous legitimate internet services - including Discord, Dropbox, Google Drive, IRC channels, OneNote and Telegram - have long been subverted or tapped by attackers. "Cybercriminals have been exploiting free cloud platforms and services for fun and profit for a while now, ranging from CSPs' free tiers to platform-as-a-service (PaaS) and software-as-a-service (SaaS) features such as Heroku, Google Drive, GitHub Actions and many more," Trend Micro said in a January 2023 report.

Raw GitHub is currently the most abused service on the platform, followed by GitHub's Objects, Pages and Codeload, Recorded Future says.

"Qualitatively, there is a potential for an upswing in sophistication, and we anticipate that APT groups will persist in spearheading advancements in this domain, leading to cascading effects influencing less-sophisticated groups over time," the report says.

The challenge for defenders is when attackers use legitimate cloud services. As Trend Micro's report says, using such services "helps attackers scale their attacks quickly and easily, hide their tracks and avoid detection by abusing legitimate services."

Provider-Level Defenses

For all legitimate service providers, including GitHub, the best way to blunt bad use cases for their platform - and by extension for anyone targeted by criminals abusing the platform - is to form dedicated internal teams designed to hunt for such abuse.

Legitimate services that want to stamp out abuse may struggle to separate signal from noise, although a number of other strategies can help, experts say.

Dropbox last August took a bite out of illicit use - including individuals pooling storage for others, as well as cryptocurrency and Chia mining - by limiting its unlimited, "all the space you need" policy, Recorded Future said. Dropbox did this by restricting existing customers to 35 terabytes of storage per license and said this already applies to 99% of its customers, unless they pay more than the base monthly fee.

Dropbox isn't alone. Its move followed Google Workspace placing caps on the amount of data users could store, starting last July. As of Dec. 31, Amazon retired its file storage Drive service altogether.

Technical changes can help too. Last October, cybersecurity firm Trellix reported having counted 10,000 different samples of malware, including "many major loader families" but "largely limited to information stealers and grabbers," that were abusing Discord's content delivery network to serve as a distribution mechanism. Some types of malware also used Discord's webhooks "to exfiltrate data from the victim's machine to a Discord channel."

The next month, Discord began generating temporary file links, refreshing them after 24 hours, to combat illicit use of its CDN to host and deliver malware, Bleeping Computer reported.

Recommendations for GitHub Users

Attackers will continue to refine their use of legitimate cloud services, meaning at least some of their illicit use will likely continue to succeed, says Recorded Future's report. It says internal defenders at organizations that use GitHub can take multiple defensive steps to combat such attacks. These include restricting GitHub access to only specific parts of the organization - maintaining "a list of authorized developers, VLANs and internal IP addresses for GitHub API access" - and restricting access to only explicitly authorized GitHub services.

Such strategies won't be foolproof because "in an effort to blend in, threat actors perform reconnaissance and likely consider the specific service usage of their victims," the report says.

Other strategies it recommends include protecting the organization's GitHub access credentials so attackers can't hack in, keeping close eye on proxy and audit logs for signs of attack or infected endpoints phoning home to a C2 server, and conducting proactive threat hunting.

*Updated Jan. 11, 2024, 22:15 UTC: Adds comment from GitHub.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.