Bad news for developers. Github is being besieged by millions of malicious repositories in an ongoing attack:
Similar to dependency confusion attacks, malicious actors get their target to download their malicious version instead of the real one. But dependency confusion attacks take advantage of how package managers work, while repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.
In this case, in order to maximize the chances of infection, the malicious actor is flooding GitHub with malicious repos, following these steps:
- Cloning existing repos (for example: TwitterFollowBot, WhatsappBOT, discord-boost-tool, Twitch-Follow-Bot, and hundreds more).
- Infecting them with malware loaders.
- Uploading them back to GitHub with identical names.
- Automatically forking each thousands of times.
- Covertly promoting them across the web via forums, discord, etc.
And:
Once unsuspecting developers use any of the malicious repos, the hidden payload unpacks seven layers of obfuscation, which also involves pulling malicious Python code and later a binary executable. The malicious code (largely a modified version of BlackCap-Grabber) would then collect login credentials from different apps, browser passwords and cookies, and other confidential data. It then sends it back to the malicious actors’ C&C (command-and-control) server and performs a long series of additional malicious activities.
Ken Westin, Field CISO, Panther Labs had this to say:
We at Panther have seen an increase in software supply chain attacks, where developers, code and cloud infrastructure are increasingly becoming a target. We have seen this with APT groups such as Lazarus out of North Korea, as well as financially motivated cybercrime groups. The goal of the attacks are often to infect code upstream to then target customers downstream, or in this case to steal credentials and authentication cookies with the hopes of gaining privileged access applications, code and secrets. Many organizations do not consider monitoring data sources such as Github in their SIEM and often do not have visibility into potential security compromises of code or developers’ workstations and infrastructure.
The report from Apiiro has a lot of detail in terms of the attack and indicators of compromise, along with steps in terms of protection. Developers should read this and act accordingly .
Github Is Under Attack
Posted in Commentary with tags Apiiro, GitHub on March 1, 2024 by itnerdBad news for developers. Github is being besieged by millions of malicious repositories in an ongoing attack:
Similar to dependency confusion attacks, malicious actors get their target to download their malicious version instead of the real one. But dependency confusion attacks take advantage of how package managers work, while repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.
In this case, in order to maximize the chances of infection, the malicious actor is flooding GitHub with malicious repos, following these steps:
And:
Once unsuspecting developers use any of the malicious repos, the hidden payload unpacks seven layers of obfuscation, which also involves pulling malicious Python code and later a binary executable. The malicious code (largely a modified version of BlackCap-Grabber) would then collect login credentials from different apps, browser passwords and cookies, and other confidential data. It then sends it back to the malicious actors’ C&C (command-and-control) server and performs a long series of additional malicious activities.
Ken Westin, Field CISO, Panther Labs had this to say:
We at Panther have seen an increase in software supply chain attacks, where developers, code and cloud infrastructure are increasingly becoming a target. We have seen this with APT groups such as Lazarus out of North Korea, as well as financially motivated cybercrime groups. The goal of the attacks are often to infect code upstream to then target customers downstream, or in this case to steal credentials and authentication cookies with the hopes of gaining privileged access applications, code and secrets. Many organizations do not consider monitoring data sources such as Github in their SIEM and often do not have visibility into potential security compromises of code or developers’ workstations and infrastructure.
The report from Apiiro has a lot of detail in terms of the attack and indicators of compromise, along with steps in terms of protection. Developers should read this and act accordingly .
Leave a comment »