This flaw allows hackers to hide malware in comments using URLs associated with Microsoft repositories.
If GitHub is supposed to be secure thanks to two-factor authentication, it is considered a developer’s paradise…. and also any hacker who seeks to distribute their malware.
But this time, these cybercriminals did not take advantage of a vulnerability or distribute corrupted files under the guise of malicious advertising. They discovered a design flaw in GitHub’s comments system. A sneaky technique that allows them to distribute malware using URLs associated with Microsoft repositories. These files look like legitimate files, appear healthy, but are infected.
If Microsoft and GitHub have not yet reacted or corrected this flaw, Clubic gives you some ideas to avoid being trapped.
Hackers abuse comments functionality to spread larger-than-life lures
So how do hackers manage to fool GitHub users to this extent?
They use a small design flaw in the comment structure. When a user leaves a comment on GitHub, they can attach a file. This file is then uploaded to GitHub’s CDN (Content Delivery Network) and associated with the project via a unique URL. The format of this URL is as follows:
https://www.github.com/{project_username}/{repository_name}/files/{file_id}/{file_name}.
Imagine a hacker who uploads a malware executable to the NVIDIA driver installation repository, and posts in the comments that it is a new update to resolve bugs in a video game. Or, a malicious file added as a comment to the Google Chromium source code, posing as a new test version of the web browser. These URLs would appear to belong to these companies’ repositories, making them more credible and deceptive because they have the same structure as legitimate URLs.
Since GitHub automatically generates the download link as soon as a user adds a file to an unsaved comment, then any file can be attached to it. That’s it, hackers can attach their malware to any repository without anyone noticing.
How to protect yourself from the persistence of these malicious URLs
The problem with these URLs attached to comments is that they are stubborn. Indeed,
Even if you decide not to publish the comment or delete it after it is published, the files are not removed from the GitHub CDN, and the download URLs continue to work indefinitely. Since the repository name is included in the URL, this flaw allows hackers to create extremely convincing and trustworthy lures.
Specialist at UnpacMe, an automated malware analysis service, Sergei Frankoff, recently streamed a demonstration of this technique on Twitch.
So how can you be sure you don’t get tricked? The first precaution to take is to check the URLs before
download a file from a comment. Make sure it comes from a reliable source by, for example, contacting other GitHub users or gleaning information from the web about the existence of these downloadable files and their function.
Next, monitor your deposits. Be alert for suspicious activity in your GitHub projects and delete any unknown files. Finally, if you are working in a team, of course, warn them about this new malware distribution campaign.
Forewarned is forearmed.
Source : Bleeping Computer, Count X by Sergei Frankoff
0