The widespread use of GitHub in information technology (IT) environments has become an enticing avenue for threat actors to deploy and facilitate malicious activities, functioning as repositories for malicious payloads, dead drop resolvers, command-and-control centers, and data exfiltration points.
In a report shared, highlights the emergence of what it terms “living-off-trusted-sites” (LOTS) – a strategic twist on the living-off-the-land (LotL) techniques often employed by threat actors to obfuscate rogue activities and evade detection.
GitHub’s popularity is notably exploited for payload delivery, with threat actors leveraging its features for command-and-control (C2) obfuscation. Recent instances include the revelation of rogue Python packages utilizing a secret gist hosted on GitHub to receive malicious commands on compromised hosts.
While comprehensive C2 implementations on GitHub are less common compared to other infrastructure schemes, the platform is frequently used as a dead drop resolver. In this scenario, information from an actor-controlled GitHub repository is employed to obtain the actual C2 URL, exemplified in cases involving malware such as Drokbk and ShellBox.
Data exfiltration leveraging GitHub is observed less frequently, attributed to concerns regarding file size and storage limitations, as well as apprehensions related to discoverability.
Beyond these primary strategies, GitHub’s diverse features are harnessed in various ways to fulfill infrastructure-related objectives. GitHub Pages, for instance, have been repurposed as phishing hosts or traffic redirectors, with certain campaigns utilizing a GitHub repository as a backup C2 channel.
This trend aligns with a broader pattern wherein legitimate internet services, including Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord, are increasingly exploited by threat actors. Other source code and version control platforms, such as GitLab, BitBucket, and Codeberg, also fall prey to misuse.
User can mitigate the risk of GitHub exploitation by employing a combination of detection strategies tailored to your specific environment. Regularly monitor and analyze network traffic for unusual patterns, and educate your team on the potential dangers of trusting seemingly legitimate GitHub repositories. Emphasize the importance of vigilant cybersecurity practices to counteract the evolving methods employed by threat actors on this widely-used platform.
