According to the Netskope Cloud and Threat Report: 2022 Year In Review, cloud-delivered malware has continued rising over the past year, ending the last 12 months 10 points higher than in 2021. Cloud-delivered malware peaked in Q4 2022 when nearly half of the malware downloads (48%) originated from 401 distinct legitimate cloud apps, led by Microsoft OneDrive, almost three times higher than in 2021. The remaining 52% of malware downloads still originated from traditional websites. This growth is trending into 2023 as the percentage of cloud-delivered malware hit 58%, 63% and 58% during January, February and March of this year, respectively.
GitHub, as one of the cloud apps within the Microsoft ecosystem, is consistently among the top exploited services, but what stands out with this specific application is its flexibility, which seems to be particularly compelling for attackers who are constantly looking for new evasion techniques to conceal their malicious intentions and make life harder for human security analysts and automated detection tools.
Because of the flexibility, the abuse of GitHub, especially by state-sponsored threat actors, is not limited to malware distribution. This might sound quite obvious given its nature of being a hosting service for (malicious) software development and version control.
It allows attackers to create sophisticated multi-stage attack chains where GitHub plays an intermediate role. For example, attackers would use GitHub to retrieve the information of the real command and control infrastructure – a cloud-native version of the Dead Drop Resolver technique – or the authentication token in case the C2 infrastructure is hosted on a legitimate cloud service that requires authentication at the API level.
This latter technique was leveraged in 2022 during a cluster of activity dubbed Earth Yako, carried out by an advanced threat actor particularly active against organizations in Japan since 2021. The threat actor behind these intrusion sets is among those who have fully understood the dark side of legitimate cloud applications exploited for malicious purposes by combining them in intricate attack chains.
The campaigns unearthed throughout 2022 have a common denominator in the cloud, particularly in exploiting Dropbox API-based backdoors to exfiltrate data: TransBox, deployed in a March 2022 campaign, PlugBox, deployed in a June 2022 campaign and ShellBox, deployed in a July 2022 campaign. All have this same characteristic, especially with ShellBox, where the attackers unleashed their creativity by introducing GitHub to potentially complicate analysts’ investigation operations further.
Despite this backdoor abusing the Dropbox API to exfiltrate data, it does not directly contain an Access Token or Refresh Token for the API. It first needs to access a specific GitHub repository to obtain the URL where the Access Token is hosted in a process that connects to the exfiltration zone after multiple redirections.
Different threat actors, including state-sponsored groups, use different cloud services for exfiltration and use GitHub similarly, such as a campaign in 2022 carried out by the Chinese group Mustang Panda. In this case, the threat actors used a GitHub repository to store the Token used to authenticate the access to Google Drive, exploited as the exfiltration zone in a multi-stage attack with many similarities to the one used by Earth Yako.
This is an additional example of how several cloud services can be combined during the exfiltration to make detection harder. However, a similar mix of cloud services might also be used during the delivery of the malicious payload and not only during the exfiltration phase. As a leopard cannot change its spots, this year, another GitHub repository from the same user (YanNaingOo0072022) was used in a January 2023 campaign by the same threat actor targeting governmental organizations in Europe and Asia.
But the most noteworthy example is a recent supply chain attack by suspected state-sponsored threat actors from North Korea, affiliated with the infamous Lazarus Group, who compromised the voice and video calling desktop client 3CX DesktopApp to distribute malware and target additional victims. In this case, GitHub was part of a complex multi-stage attack chain where the trojanized 3CX client downloaded apparently innocuous icon files from GitHub. The icon files had Base64 data appended at the end, which were then decoded and used to download an unknown information stealer in the next stage of the attack.
This is another example of a complex attack chain where GitHub is exploited to add an additional level of evasion. For the record, GitHub seems to be one of the preferred cloud services weaponized by the same threat actors since it was first used as a command and control for a January 2022 campaign targeting job seekers via decoy documents masquerading as the global security and aerospace giant Lockheed Martin. It was also utilized as a dead drop resolver, an intermediate hop to retrieve the coordinates of the real command and control in a July 2022 campaign discovered by the Japan CERT (JPCERT).
Lessons to Learn
The examples above demonstrate that threat actors increasingly exploit legitimate cloud services like GitHub in complex multi-stage attack chains. It is now paramount for organizations to have granular visibility over all web and cloud traffic and enforce context-aware policies up to the instance level, which can drastically reduce the attack surface.
All the traffic, whether web or cloud, must be scanned with the same security controls, removing the concept of implicit trust. Such policies include blocking or coaching the users on specific activities, such as uploading or downloading content for cloud applications not used by the organization and for non-corporate instances of applications used within the corporate perimeter. This can mitigate the risk that external instances of corporate services, such as the rogue GitHub instances mentioned above, are being weaponized to harm the enterprise.
Editorial image credit: Gil C / Shutterstock.com