The Stealthy Cyber Threat: Abuse of GitHub for Malicious Purposes

In the evolving landscape of cybersecurity threats, GitHub, a popular collaborative coding and version control platform, has emerged as a new frontier for cybercriminals and advanced persistent threats (APTs). This article delves into the multifaceted ways GitHub is exploited for malicious infrastructure, the challenges posed to cybersecurity and effective strategies for mitigation.

Figure 1 – Breakdown of abused GitHub services among samples sourced from Recorded Future

Understanding the Threat

GitHub’s services, integral to numerous legitimate operations, are being hijacked for a wide range of malicious infrastructure schemes. Key abuses include payload delivery, dead drop resolving (DDR), full command-and-control (C2), and exfiltration. This exploitation, termed “living-off-trusted-sites” (LOTS), enables adversaries to blend seamlessly into legitimate network traffic, bypass traditional security defenses, and complicate the tracking of upstream infrastructure and actor attribution.

While GitHub offers a platform for efficient and collaborative development, it simultaneously presents a low-cost, high-uptime, and easily accessible medium for threat actors. However, it’s not without drawbacks for them. GitHub’s inherent limitations, like file size restrictions and heightened visibility into hosted infrastructure, pose challenges to malicious users.

Figure 2 – Graphic of GitHub services abused by malicious infrastructure

Payload Delivery – The Dominant Scheme

Payload delivery emerges as the most prevalent infrastructure scheme, with its ease of implementation and alignment with GitHub’s legitimate use cases. Yet, it risks unintended exposure, potentially revealing operational insights into threat actors’ development capabilities, targets, and attack vectors.

GitHub’s use for DDR and full C2 implementations, though less common, presents significant concerns. DDR via GitHub poses minimal risk of data removal due to the platform’s difficulty in discerning malicious intent behind posted addresses or strings. Full C2 schemes, albeit relatively rare, are predominantly linked to sophisticated APT activity, underscoring their potential impact.

Exfiltration and Other Malicious Uses

While GitHub is less commonly used for exfiltration than other schemes, its use in this regard cannot be overlooked. Additionally, GitHub services have been abused for various other malicious purposes, including hosting phishing operations and serving as an infection vector.

Mitigating the Threat

To combat GitHub abuse, a multi-faceted approach is required. This includes service-based strategies like flagging or blocking specific GitHub services and context-based strategies based on the specific needs of different corporate environments. Organizations should invest in understanding how GitHub is abused to develop sophisticated detection mechanisms and tailored threat hunting.

Challenges in Detecting GitHub Abuse

Using platforms like GitHub for nefarious activities is a tactic to evade detection. Identifying such abuse within a specific environment depends on factors like the availability of logs, organizational structure, and risk tolerance. A tailored approach, combining multiple detection strategies, is necessary.

Context-Based Detection Approaches

This strategy is grounded in the understanding of specific organizational needs. If only certain departments should access GitHub services, any traffic from other parts not designated for this interaction is considered suspicious. For instance, if only the development team is authorized to access GitHub APIs, traffic from different departments to these APIs may indicate malicious activity. Implementing this strategy requires detailed knowledge of the organizational environment, including a list of authorized users and network segments.

Service-Based Detection Techniques

This approach focuses on identifying unnecessary GitHub services in a corporate setting. For instance, an organization using an internal Git Enterprise server might not need various external GitHub services. Similarly, for companies using self-hosted runners for job assignments and updates, certain GitHub hosts can be blocked or monitored. Understanding the organization’s GitHub service usage is crucial for this strategy.

Log-Based Detection Methods

Log-based detection involves analyzing interactions between systems and GitHub services. Suspicious connections can be identified through proxy and audit logs. For example:

  • Monitoring specific Living-Off-the-Land binaries (LOLbins) like certutil or wget used to retrieve payloads from GitHub.
  • Detecting non-browser executables that make DNS requests to GitHub domains.
  • Creating detection rules for Git commands used in data exfiltration, such as “remote,” “add,” or “push,” especially involving non-corporate GitHub domains.
  • Proxy logs can be used to detect specific URL patterns with executable file extensions.

Detection Based on LIS Combinations

Since malware often abuses multiple LIS, detecting combinations of these services can be effective. For instance, identifying traffic to GitHub Pages that redirect to other services like mock API services could indicate malicious activity.

Network-Based Detection

As GitHub is often used for payload delivery and DDR, monitoring network communications for connections to malicious infrastructure can be helpful. However, this approach might only identify infections after data exfiltration has occurred.

Proactive Threat Hunting

Proactive hunting involves manual processes and can provide insights into threat actor behaviors. Techniques include:

  • Hunting via GitHub usernames, repositories, and organization names.
  • Using website scanning tools to identify malware-hosting sites associated with GitHub.
  • Analyzing GitHub commit history to uncover details about threat actors’ attack vectors, motivations, and targets.

The Future Outlook

As the abuse of legitimate internet services like GitHub is anticipated to increase, both defenders and service providers must adapt. Effective mitigation strategies require advanced detection methods, more comprehensive visibility, and diverse detection angles. Moreover, shifts in security ownership are expected, with LIS potentially assuming more responsibility in combating abuse.

The abuse of GitHub for malicious purposes underscores a critical challenge in cybersecurity: the exploitation of trusted, legitimate services. Addressing this not only requires advanced technological solutions but also a paradigm shift in how cybersecurity is approached, emphasizing proactive, intelligence-driven strategies to stay ahead of the threat.