Trusted platforms like GitHub and GitLab, which are widely used for software development and collaboration, are increasingly becoming both targets and vehicles for various malicious activities. The latest incidents in this trend include a malware distribution campaign through legitimate GitHub repositories and the discovery of an exploit for a vulnerability in GitLab that allows attackers to gain access as any user.
The malware distribution campaign, as reported by Cofense, involves a threat actor attempting to direct victims in the insurance and finance sectors to malware hosted on trusted GitHub repositories. These victims receive tax-themed phishing emails containing links to password-protected archives with Remcos, a remote access Trojan used in cyber espionage and data theft attacks by cybercriminals and state-backed groups. What sets this campaign apart is how the threat actor managed to infiltrate legitimate GitHub repositories of reputable entities like HMRC, InlandRevenue, and UsTaxes with the malicious files.
This method involves using GitHub comments to upload the malicious files containing Remcos to these repositories discreetly. GitHub comments are commonly used by developers for collaboration on software projects, making it a convenient cover for threat actors to attach malware without directly uploading it to the source code files. This sneaky tactic allows them to bypass detection mechanisms and store malicious files separately from the approved code, posing a significant security risk.
Another incident involved a threat actor using Microsoft’s own GitHub repository to host the Redline Stealer malware, proving the growing interest of malicious actors in leveraging trusted platforms for their nefarious activities. By exploiting the reputation and accessibility of domains like GitHub, attackers can evade secure email gateways and directly link to malware without redirects or additional security measures, making their malicious campaigns more effective.
The discovery of a critical authentication bypass vulnerability in GitLab, affecting various versions of the platform, further highlights the increased interest in repositories like GitHub and GitLab from both researchers and threat actors. This vulnerability allows attackers to access GitLab as any user, potentially compromising the security and integrity of code repositories and development pipelines. With a surge in attacks targeting these platforms, users and organizations must remain vigilant and implement robust security measures to protect their sensitive data and assets.
In conclusion, the incidents involving GitHub and GitLab underscore the evolving threat landscape in software development and collaboration environments. As threat actors continue to exploit vulnerabilities and leverage trusted platforms for their malicious activities, stakeholders must prioritize security and adopt proactive defense strategies to mitigate risks and safeguard their digital infrastructure.