Cybercriminals are exploiting GitHub, a widely-used platform for code and file sharing, to carry out their nefarious activities, experts have alerted. These threat actors are leveraging GitHub’s trusted status to distribute malicious files and orchestrate phishing scams, employing a strategy known as “living-off-the-land” (LotL), which has been adapted to “living-off-trusted-sites” (LOTS), according to a report by Recorded Future.
The abuse of GitHub primarily involves payload delivery, with techniques such as dead drop resolving (DDR) and command-and-control (C2) operations being prevalent. DDR uses legitimate services to store data related to malicious domains, leading unsuspecting users to the cybercriminals’ infrastructure. Meanwhile, C2 networks are being disguised within GitHub to merge malicious traffic with legitimate traffic, making it challenging to detect and trace.
Recorded Future’s report indicates that this trend of LOTS is on the rise among Advanced Persistent Threats (APTs) and is likely to be adopted by less sophisticated groups. The report suggests that as these attacks increase, legitimate internet services (LIS) will become a new risk vector for third-party customers. Effective mitigation will require advanced detection methods, comprehensive visibility, and diverse detection angles.
Currently, there is no definitive solution to prevent the misuse of GitHub by threat actors. However, the responsibility for detecting such abuse may shift towards LIS providers, who have better oversight of their services’ usage. This shift would potentially lead to improved identification and handling of malicious activities on platforms like GitHub.
Read more at TechRadar…