Trusted and broadly used software program improvement and collaboration platforms like GitHub and GitLab have grow to be each targets of and autos for a rising vary of malicious exercise.
The newest manifestations of that pattern embrace a malware distribution marketing campaign involving respectable GitHub repositories and the provision this week of an exploit for a vulnerability that permits an attacker to realize entry as any consumer of GitLab.
The primary is an instance of how attackers are exploiting the trusted fame of platforms like GitHub to attempt to sneak malware previous endpoint detection mechanisms. The GitLab vulnerability, in the meantime, highlights the rising publicity to organizations from exploits that give attackers entry to code repositories and exfiltrate secrets and techniques and knowledge, modify or inject code into software program, and manipulate the CI/CD pipeline.
Internet hosting Malware on Trusted GitHub Repos
Researchers at Cofense this week reported a phishing marketing campaign the place a risk actor is making an attempt to direct focused victims within the insurance coverage and finance sectors to malware hosted on trusted GitHub repositories. The marketing campaign entails the attacker sending victims tax-themed phishing emails containing a hyperlink to a password-protected archive containing Remcos, a distant entry Trojan that cybercriminals and state-backed teams alike have utilized in varied cyber-espionage and knowledge theft assaults over time.
What makes the marketing campaign noteworthy, in keeping with Cofense, is how the risk actor has managed to sneak the archive recordsdata containing the Remcos RAT into respectable GitHub repositories belonging to trusted entities. Examples of such entities embrace His Majesty’s Income & Customs (HMRC), the UK’s nationwide tax authority; New Zealand’s counterpart, InlandRevenue; and UsTaxes, an open supply tax-filing platform.
In every occasion, the attacker used GitHub feedback to add a malicious file containing Remcos RAT to the repositories of the respective entities.
Many GitHub repositories enable builders to touch upon ongoing and collaborative software program tasks. The feedback can cowl a variety of matters, together with proposed code modifications, documentation and bug-related points, process creation clarification requests, process administration and progress updates, and merge battle decision.
“GitHub feedback are helpful to a risk actor as a result of malware could be hooked up to a remark in a GitHub repository with out having to add it to the supply code recordsdata of that repository,” Cofense safety researcher Jacob Malimban wrote in a weblog submit. “Which means that any group’s respectable GitHub repository that permits feedback can include unapproved recordsdata exterior of the vetted code.” Unsanctioned recordsdata that somebody would possibly submit by way of GitHub feedback find yourself in a subdirectory that’s separate from the one containing the repository’s vetted recordsdata, Malimban stated. What is particularly troubling is the truth that the hyperlink to the malicious file will proceed to work even when the remark itself will get deleted.
A number of Incidents
Different risk actors have observed the chance as nicely. A latest working example is the purveyor of the Redline Stealer, who earlier this yr was noticed utilizing a minimum of Microsoft’s personal GitHub repository to host the data stealing malware. In that marketing campaign — as with the brand new Remcos RAT assaults that Cofense noticed — the risk actor uploaded the malware as a remark to Microsoft’s GitHub vcpkg repository.
Emails with hyperlinks to domains reminiscent of GitHub are efficient at skirting safe e mail gateways due to their trusted fame. Attackers can, in truth, straight hyperlink to their malware in such domains with out the necessity to redirect customers to different websites, or with out requiring them to make use of different safety bypass strategies like scanning QR codes, Cofense stated.
The risk actor behind the brand new Remcos RAT may simply have focused victims in different sectors as nicely. However they doubtless intentionally stored their focus slender to check how efficient the technique of internet hosting malware on the GitHub repositories is earlier than attacking others, Malimban surmised.
Rising Risk Actor Curiosity
In the meantime, the new exploit for GitLab targets a vital authentication bypass vulnerability (CVE-2024-45409) affecting the Ruby-SAML and OmniAuth-SAML libraries that GitLab makes use of to allow SAML-based single sign-on. The exploit script provides attackers a approach to abuse the vulnerability to entry GitLab within the context of any consumer. The vulnerability impacts all variations of GitLab Neighborhood Version (CE) and Enterprise Version (EE) under 16.11.10. The flaw can be current in a number of 17.x.x variations of GitLab.
The exploit is one other signal of the rising researcher and risk actor curiosity in repositories like GitHub and GitLab and their customers. Over the previous yr there have been a number of situations of assaults concentrating on repos on GitHub, like one involving cyber-extortion that Chilean cybersecurity agency CronUp reported in June and one other involving using ghost accounts on GitHub to distribute malware. GitLab customers have had their share of safety scares to cope with as nicely, like CVE-2024-45409 and two different latest vulnerabilities (CVE-2024-6385 and CVE-2024-5655) that posed a serious risk to the integrity of CI/CD pipelines.