Cybercriminals are using GitHub to host and distribute malicious files and redirect traffic to phishing scams, experts have warned.
While GitHub has become an industry standard tool for code and file sharing, it is increasingly being used by threat actors as a key part of their criminal infrastructure.
The code-hosting site is also being used in an adapted tactic of living-off-the-land (LotL).
Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today.
Preferred partner (What does this mean?)
An infection without a cure?
Threat actors have been using the sites file and code sharing capabilities to deploy its payloads inside legitimate network traffic in what Recorded Future has coined as “living-off-trusted-sites” (LOTS) in a report on how threat actors are utilizing GitHub.
The main avenue of GitHub abuse surrounds payload delivery, with dead drop resolving (DDR) and command-and-control (C2) also seeing widespread use on the site.
DDR involves the use of a legitimate service being used by cybercriminals to store information relating to their own malicious domains, which infect users and directs them to other infrastructure used by threat actors.
GitHub is also being used by threat actors to hide or disguise their C2 networks, allowing their traffic to blend in with legitimate traffic making it very difficult to trace or observe.
Recorded Future said in the report that, “The "living-off-trusted-sites" (LOTS) approach is highlighted as a growing trend among APTs, with less-sophisticated groups expected to follow suit.”
“As attacks are anticipated to increase, the text emphasizes that legitimate internet services (LIS) will pose a new third-party risk vector for customers. Mitigation strategies are expected to require advanced detection methods, comprehensive visibility, and diverse detection angles.”
The report states that there is no current solution to resolve GitHub abuse by threat actors, however it is expected that the responsibility for detecting the abuse of GitHub hosting may gradually move towards LIS who have greater visibility over who is using their services and what they are doing.
More from TechRadar Pro
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.
He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.
Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.