How Threat Actors Use GitHub
Introduction
GitHub is a popular place where people store and work on code. Many businesses and regular users rely on it, so it’s usually allowed within most company networks.
It’s now the perfect place for attackers to host their payloads or to exfiltrate data while hiding in plain sight, we will see how github is used by attackers and how to detect it.
Command and Control & Data Exfiltration
Any API service can be used as a C2 and github is not the exception (more info in my story of known C2 project using legitimate API to hide in plain sight: https://mthcht.medium.com/c2-hiding-in-plain-sight-7a83963b9344)
Opensource C2 using Github API :
Detection:
- HTTP Requests to
https://api.github.com/* - Note that this detection will show you any users using the github API within your environment, you will need to establish a list of developers, VLANs, or internal IP addresses authorized to use the GitHub API for their work. Knowing your environment is key !
C2 using Github codespaces :
GitHub Codespaces is a feature that provides a complete, configurable development environment hosted in the cloud. It allows developers to develop, run, and debug projects directly within the browser or through Visual Studio Code, without the need to set up a local development environment.
Github Codespaces have a public port forwarding option allowing you to make your server available for the public.
I tried it recently (ref) and immediately considered how this could be abused by threat actors for malware delivery and data exfiltration. Increasingly, i see threat actors attempting to evade detection by blending in with legitimate traffic or app (lolbas)
Not surprisingly, I found some reports of codespaces being used by C2, here is a sample of a C2 https://bazaar.abuse.ch/sample/c92a7425959121ff49970c53b78e714b9e450e4b214ac85deb878d0bedf82a70/
Detection:
- Data Collection: HTTP GET Requests to
https://*.app.github.dev/* - Data Exfiltration: HTTP POST Requests to
https://*.app.github.dev/* - Note that these detections will show you every access to a GitHub Codespace environment. Since it’s not a widely used service, the triage should be straightforward. However, if you have to prioritize, pay the most attention to POST requests (data exfiltration) to the URL pattern.
Malware delivery
Malware hosting on GitHub is very common and github will only take action for rare case of collaboration with the infosec community, even the remediation can be difficult as seen in multiple campaigns, threat actors are forking their malware repos or legitimate existing projects with few modifications with hundreds of accounts to establish persistence. By leveraging the platform’s reputation and the fork option, they bypass security measures.
Detection recommantion:
Detect raw content access on github and gist with your proxy logs :
*https://raw.githubusercontent.com**https://codeload.github.com**https://objects.githubusercontent.com/github-production-release-asset-**/github.com*.exe?raw=true**https://gist.githubusercontent.com/*/*/raw/*
Triage : You can add a filter on url ending with executables extensions and archives or establish an exclusion list based on common files you see requested in your environment.
Check out some of the filter i use in the threathunting-keywords project: https://github.com/mthcht/ThreatHunting-Keywords-sigma-rules/blob/main/sigma_rules/greyware_tools/github/github.json
You can also use this project to hunt for access to offensive tools on github, the most important offensive tools repositories are referenced in it with pattern detections.
I highly recommand hunting for this, let me know what you find !
Supply chain attacks
Supply chain attacks targeting globally used software repositories involve sophisticated methods to compromise the integrity of the software. Attackers focus on infiltrating the development or distribution process, rather than attacking the end user directly.
Here’s how it typically works:
- Target Selection: Attackers identify a widely-used software package repository on Github.
- Attackers can obtain the email address of a repository owner by examining the commit history. GitHub’s default setting associates your email with commits, and many owners neglect to change this option. The tool glit allows you to retrieve all mails of user related to a git repository, a git user or a git organization https://github.com/shadawck/glit to phish.
- Attackers can also search for valid credentials in github repos with tools like gitleaks https://github.com/gitleaks/gitleaks and infiltrate the development environment.
2. Infiltration: By exploiting vulnerabilities, social engineering on the owner or by other means, the attacker gains access to the development or distribution environment.
3. Code Alteration: Once inside, the attacker modifies the source code or injects malicious code, sometimes subtly altering existing functionalities.
4. Distribution: The tainted software package is then distributed through Github with the last compromised code/version.
5. Execution: End users who download and install the compromised software unknowingly execute the malicious code, allowing the attacker to achieve their objectives, such as data theft or system control.
The advantage is that you can examine the commits on GitHub to understand what has been changed, but who is really taking the time to check all the commits 🤔 ?
Happy hunting 🏹
GitHub is a very attractive target for attackers. The abuse of the features I’ve demonstrated shows the need for continuous vigilance. Use the detection patterns I gave you to hunt in your environment. The detection is still hard and subject to false positives but if you manage to achieve a low false positive rate, I recommend implementing detection rules for these.
