January 17, 2023Rabbi LakshmananThreat Response / Malware

New research has found that attackers can abuse legitimate functionality of GitHub Codespaces to deliver malware to victims’ systems.

GitHub codespace is a cloud-based, configurable development environment that enables users to debug, maintain, and commit changes to a specific codebase from a web browser or via Visual Studio Code integration.

It also provides port forwarding capabilities that allow web applications running on specific ports in your codespace to be accessed directly from your browser on your local machine for testing and debugging purposes.

“Manually forward ports, label forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, or add forwarded ports to codespace You can also add it to your configuration.” GitHub I will explain in that document.

this is important Note that exposed forwarded ports also allow anyone who knows the URL and port number to view the running application without authentication.

GitHub codespace

Additionally, GitHub Codespaces uses HTTP for port forwarding. If a publicly visible port is updated to use HTTPS, or removed and re-added, the port’s visibility automatically changes to private.

Cyber ​​Security Company Trend Micro found Such publicly shared forwarded ports can be abused to create malicious file servers using GitHub accounts.

“In the process, these exploited environments will not be flagged as malicious or suspicious, even if they serve malicious content (scripts, malware, ransomware, etc.), and organizations will We may consider these events harmless or false positives,” the researchers said. said Nitesh Surana and Magno Logan.

In a proof-of-concept (PoC) exploit demonstrated by Trend Micro, an attacker creates a codespace, downloads malware into an environment from an attacker-controlled domain, sets the visibility of forwarded ports to public, An application that acts as a web server that hosts payloads.

GitHub codespace

To make matters worse, attackers can extend this method to deploy malware and compromise the victim’s environment. This is because each codespace domain associated with an exposed port is unique and less likely to be flagged as malicious by security tools.

“Using such scripts, attackers can exploit GitHub Codespaces to rapidly serve malicious content by exposing ports in the codespace environment,” the researchers explained. I’m here.

While this technique has not yet been observed in the wild, the findings are a reminder of how attackers can weaponize cloud platforms for profit and to carry out a range of illegal activities.

“Cloud services offer benefits for both legitimate users and attackers,” conclude the researchers. “The capabilities offered to legitimate subscribers will also be available when using resources provided by threat actors. [cloud service provider].”

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog