Cybersecurity researchers at Trend Micro demonstrated how a GitHub software development container system can be used as a malware distribution platform. The feature, called Codespaces, was launched in November last year, with the pointed issue ensuring that exploits bypass even security software, due to their legitimate origin.
- How do security and usability work in remote software development?
- 6 programming languages that favor the development of safe environments
Officially, the platform serves to facilitate the creation of virtualization environments, with writing, editing and testing codes directly in the browser, from the cloud. In the attack’s proof of concept, however, the technology appears to serve as a web server for the distribution of viruses and malicious code, from URLs that allow access to applications running through a given port.
On the other hand, it would be enough for the criminal to configure a simple server to house malicious scripts or malware, opening the ports of his Codespace publicly and sending the link to the attack targets. The URL can even use the HTTPS protocol to convey a false sense of security, while the lack of authentication causes the victim to fall directly into an eventual scam.
According to Trend Micro, the attack would be largely effective since the address used in the exploit is official, from the development platform, and not only would it be released by security software, but it is a resource widely known by companies and workers in the sector. The appearance of reliability is an important accessory of the scam, which can be distributed through phishing emails or messages on communication apps or social networks.
Targeted strikes can also be performed from this method, with Trend Micro’s proof of concept also including an instance that was deleted a minute and a half after being accessed. Thus, criminals would be able to cover their tracks after contamination, making it difficult to investigate or monitor campaigns in progress.
New but known path
The use of reliable systems as a cybercrime weapon is known and seen by the criminals themselves as a good way to make victims. While GitHub’s container system is the subject of Trend Micro’s proof of concept, different schemes have also been seen using the infrastructure of other platforms in the field, such as Azure, also from Microsoft, Google Cloud or Amazon Web Services.
They are also interesting attacks for criminals, who don’t even need to configure their own domains and hosting for malicious links, something that would increase the chance of detection by security software. It would be enough to automate the creation of accounts and even the assembly of containers so that everything would be ready for exploits.
In response to the study, GitHub thanked the experts for their contribution and said it will add an alert to users when accessing a Codespace, so that they can verify the reliability of the link before moving on. In addition, the company has provided guides for best development and security practices so that developers can better protect their work environments.
Source: TrendMicro. With information from the Bleeping Computer.