The popularity of Github has made it too big to block, which is a boon to dissidents ducking government censors but a problem for internet security.
GitHub says it is used by more than 100 million developers around the world. Its popularity and utility ensures that the site is “relatively immune to Chinese censorship efforts,” according to the Electronic Frontier Foundation. GitHub’s reach, however, also makes its various services appealing to those looking to distribute malware to the largest possible audience.
In a report published on Thursday, security shop Recorded Future warns that GitHub’s infrastructure is frequently abused by criminals to support and deliver malware. And the abuse is expected to grow due to the advantages of a “living-off-trusted-sites” strategy for those involved in malware.
GitHub, the report says, presents several advantages to malware authors. For example, GitHub domains are seldom blocked by corporate networks, making it a reliable hosting site for malware.
The cloud code host is also likely to be familiar to those crafting harmful software, based on prior legitimate usage. What’s more, GitHub can be used without typical web hosting fees or domain registration costs, it’s reliable, and there’s not much vetting when new accounts are created.
There are disadvantages, however. Lack of PHP backend services limits PHP-based phishing kits, Also GitHub is highly visible and does have a security team that’s considered fairly adept. And the site imposes file size and bandwidth limits that can constrain attack resources.
Criminals, according to the Recorded Future’s Insikt Group, often rely on GitHub for payload delivery, dead drop resolving of code, data exfiltration, and command-and-control operations.
“Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult,” the report says.
The security outfit cites numerous examples in which GitHub has been used to stage or distribute malicious files, such as Qualys’ January 2023 report on Excel spreadsheets used as bait to spread BitRAT, Morphisec Labs’ June 2023 account of a phishing campaign that relied on a PowerShell script to fetch the GuLoader shellcode from a GitHub Pages site, and an August 2023 case found by security researcher 0xToxin that utilized a PowerShell script found on raw[.]githubusercontent[.]com.
The Recorded Future report further describes the code hosting site’s utility for dead drop resolving (hosting information related to command-and-control infrastructure), and for running command-and-control servers.
Reliance on this “living-off-trusted-sites” strategy is likely to increase and so organizations are advised to flag or block GitHub services that aren’t normally used and could be abused. Companies, it’s suggested, should also look at their usage of GitHub services in detail to formulate specific defensive strategies.
“This challenge affects services across the industry,” a GitHub spokesperson told The Register.
“With 100M+ developers on the platform building across 420M+ repositories, we have teams dedicated to detecting, analyzing, and removing content that violates our Acceptable Use Policies. We employ manual reviews and at-scale detections that use machine learning and continue to evolve and adapt against adversarial tactics. We also encourage everyone to report abuse and spam.” ®