GitHub is being hijacked by hackers, and it isn't going to be fixed any time soon

GitHub Webpage
(Image credit: Gil C / Shutterstock)

Cybercriminals are using GitHub to host and distribute malicious files and redirect traffic to phishing scams, experts have warned.

While GitHub has become an industry standard tool for code and file sharing, it is increasingly being used by threat actors as a key part of their criminal infrastructure.

The code-hosting site is also being used in an adapted tactic of living-off-the-land (LotL).

Reader Offer: Save up to 68% on Aura identity theft protection

Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today. 

 Preferred partner (What does this mean?) 

An infection without a cure?

Threat actors have been using the sites file and code sharing capabilities to deploy its payloads inside legitimate network traffic in what Recorded Future has coined as “living-off-trusted-sites” (LOTS) in a report on how threat actors are utilizing GitHub.

The main avenue of GitHub abuse surrounds payload delivery, with dead drop resolving (DDR) and command-and-control (C2) also seeing widespread use on the site.

DDR involves the use of a legitimate service being used by cybercriminals to store information relating to their own malicious domains, which infect users and directs them to other infrastructure used by threat actors.

GitHub is also being used by threat actors to hide or disguise their C2 networks, allowing their traffic to blend in with legitimate traffic making it very difficult to trace or observe.

Recorded Future said in the report that, “The "living-off-trusted-sites" (LOTS) approach is highlighted as a growing trend among APTs, with less-sophisticated groups expected to follow suit.”

“As attacks are anticipated to increase, the text emphasizes that legitimate internet services (LIS) will pose a new third-party risk vector for customers. Mitigation strategies are expected to require advanced detection methods, comprehensive visibility, and diverse detection angles.”

The report states that there is no current solution to resolve GitHub abuse by threat actors, however it is expected that the responsibility for detecting the abuse of GitHub hosting may gradually move towards LIS who have greater visibility over who is using their services and what they are doing.

Via TheHackerNews

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focussing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.