Cybercriminals are using GitHub to host and distribute malicious files and redirect traffic to phishing scams, experts have warned.
While GitHub has become an industry standard tool for code and file sharing, it is increasingly being used by threat actors as a key part of their criminal infrastructure.
The code-hosting site is also being used in an adapted tactic of living-off-the-land (LotL).
An infection without a cure?
Threat actors have been using the sites file and code sharing capabilities to deploy its payloads inside legitimate network traffic in what Recorded Future has coined as “living-off-trusted-sites” (LOTS) in a report on how threat actors are utilizing GitHub.
The main avenue of GitHub abuse surrounds payload delivery, with dead drop resolving (DDR) and command-and-control (C2) also seeing widespread use on the site.
DDR involves the use of a legitimate service being used by cybercriminals to store information relating to their own malicious domains, which infect users and directs them to other infrastructure used by threat actors.
GitHub is also being used by threat actors to hide or disguise their C2 networks, allowing their traffic to blend in with legitimate traffic making it very difficult to trace or observe.
Recorded Future said in the report that, “The "living-off-trusted-sites" (LOTS) approach is highlighted as a growing trend among APTs, with less-sophisticated groups expected to follow suit.”
“As attacks are anticipated to increase, the text emphasizes that legitimate internet services (LIS) will pose a new third-party risk vector for customers. Mitigation strategies are expected to require advanced detection methods, comprehensive visibility, and diverse detection angles.”
The report states that there is no current solution to resolve GitHub abuse by threat actors, however it is expected that the responsibility for detecting the abuse of GitHub hosting may gradually move towards LIS who have greater visibility over who is using their services and what they are doing.
Via TheHackerNews