Experts have warned that cybercriminals are using GitHub to host and distribute malicious files and redirect traffic to phishing scams.
While GitHub has become an industry-standard tool for sharing code and files, threat actors are increasingly using it as a key part of their criminal infrastructure.
The code hosting site is also being used in an adapted tactic of living off the land (LotL).
An infection without a cure?
Threat actors have been using the site's code and file-sharing capabilities to deploy their payloads into legitimate network traffic on what Recorded Future has called “living trusted sites” (LOTS) in a report on how threat actors are using GitHub.
GitHub's main avenue of abuse revolves around payload delivery, and dead drop resolution (DDR) and command and control (C2) are also widely used on the site.
DDR involves the use of a legitimate service used by cybercriminals to store information related to their own malicious domains, which infects users and directs them to other infrastructures used by threat actors.
GitHub is also being used by threat actors to hide or disguise their C2 networks, allowing their traffic to blend in with legitimate traffic, making it very difficult to track or observe.
Recorded Future said in the report that “the 'living in trusted places' (LOTS) approach stands out as a growing trend among APTs, and less sophisticated groups are expected to follow suit.”
“As attacks are expected to increase, the text emphasizes that legitimate Internet services (LIS) will represent a new vector of third-party risk for customers. “Mitigation strategies are expected to require advanced detection methods, comprehensive visibility, and diverse detection angles.”
The report states that there is no current solution to resolve abuse of GitHub by threat actors, however, it is hoped that the responsibility for detecting abuse of GitHub hosting can gradually shift to LISs that have greater visibility. about who is using your services and what they are. doing.
Through TheHackerNews
