Recorded Future highlights the global growth of the threat posed by legitimate platforms.
According to a recent report by Recorded Future, the developer platform GitHub has recently become a popular tool for hackers who use it to host and deliver malware.
The platform provides attackers with the ability to disguise their actions as legitimate network traffic, which makes it difficult to track and identify attackers.
Experts call this tactic "Living Off Trusted Sites" (LOTS), which is a modification of the "Living off the Land" (LotL) technique often used by attackers to hide malicious activity.
The most common way to abuse GitHub is to deliver malware. For example, ReversingLabs last month reported a number of fake Python packages that received malicious commands from secret GitHub repositories.
Although full-fledged implementations of management systems in GitHub are less common than other infrastructure schemes, using the platform as a "dead box" — to get the URL of management servers-is much more common. It is also rare, but still fixed, to use GitHub for uploading data, which, according to Recorded Future, is due to file size restrictions and fears of detection.
In addition to these schemes, GitHub is often used by attackers in various ways, including using GitHub Pages as hosts for phishing or redirecting traffic, as well as as a backup control channel.
The Recorded Future report highlights the general trend of attackers exploiting legitimate Internet services, such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, Discord, and various source code management platforms, including GitLab, BitBucket, and Codeberg.
Recorded Future points out that there is no universal solution for detecting abuse of popular services. A combination of discovery strategies is required, depending on the specific environment, log availability, organization structure, service usage patterns, and risk level.
According to a recent report by Recorded Future, the developer platform GitHub has recently become a popular tool for hackers who use it to host and deliver malware.
The platform provides attackers with the ability to disguise their actions as legitimate network traffic, which makes it difficult to track and identify attackers.
Experts call this tactic "Living Off Trusted Sites" (LOTS), which is a modification of the "Living off the Land" (LotL) technique often used by attackers to hide malicious activity.
The most common way to abuse GitHub is to deliver malware. For example, ReversingLabs last month reported a number of fake Python packages that received malicious commands from secret GitHub repositories.
Although full-fledged implementations of management systems in GitHub are less common than other infrastructure schemes, using the platform as a "dead box" — to get the URL of management servers-is much more common. It is also rare, but still fixed, to use GitHub for uploading data, which, according to Recorded Future, is due to file size restrictions and fears of detection.
In addition to these schemes, GitHub is often used by attackers in various ways, including using GitHub Pages as hosts for phishing or redirecting traffic, as well as as a backup control channel.
The Recorded Future report highlights the general trend of attackers exploiting legitimate Internet services, such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, Discord, and various source code management platforms, including GitLab, BitBucket, and Codeberg.
Recorded Future points out that there is no universal solution for detecting abuse of popular services. A combination of discovery strategies is required, depending on the specific environment, log availability, organization structure, service usage patterns, and risk level.
