Skip to content

Potential Insecure “Actions” of GitHub Repositories

Posted by Trevagh Stankard on Thu, Jun 3rd, 2021

Cybercriminals are innovative creatures. They will search for exploits in places that users may never suspect. Over the years, many of these exploits have made use of existing, legitimate, processes and infrastructures. Take certificate authorities (CAs), for example. A CA is an organization that checks the validity of an organization before issuing them a digital certificate: the certificate providing trusted and secure transactions. One infamous example of where this infrastructure was hacked was the Dutch Certification Authority, DigiNotar. Back in 2011, a security breach resulted in the illegitimate issuing of certificates, then used for fraudulent purposes. More recently, fraudsters have hijacked the darling of the development community, the GitHub infrastructure.

The Lure of GitHub

GitHub has been around since 2008. In that time, it has seen explosive growth amongst developers and companies, alike, to host, share, and work on software code. Both open source and proprietary code use GitHub as the development platform of choice. GitHub is hugely popular, and there are currently over 100 million code repositories on GitHub.

This massive GitHub user base along with its treasure trove of software code is a lure for cybercriminals. Fraudsters are using this as a basis for several attack types, including:

Ransoms: In 2019, hackers broke into around 392 separate repositories and removed source code and recent commits, replacing them with a ransom note demanding payment of 0.1 Bitcoin (~$570 at the time).

Backdoor: GitHub is used to commit updates to source code. In a recent hack, backdoored code was pushed to the official PHP repository - PHP is used extensively by web developers. The code allowed a remote takeover of any website that uses PHP with the consequence of an infected website that could potentially be used to infect millions of visitors.

Code injection: GitHub contains vendor software that is widely distributed to customers. By using this software as a platform for the delivery of malicious code, cybercriminals can piggyback on legitimate software to exact their malicious ends. One such case is the exploit of a vulnerability in the GitHub located code of Codecov, a company that provides code testing products. Cybercriminals were able to gain access to the Bash Uploader script of Codedev and make illegitimate changes. The result was the insertion of malicious code used to steal authentication tokens and other sensitive data from users.

Mining for GitHub Actions Crypto

GitHub Actions is a feature of GitHub that provides a CI/CD workflow pipeline for software delivery into production. It is a key infrastructure in GitHub that automates software workflow. In a recent exploit, researchers at Google Project Zero located a design flaw in GitHub Actions. This flaw has the potential to provide a hacker with write access to a repository, allowing them to reveal encrypted secrets, therein. One of the researchers, Felix Wilhelm demonstrated the vulnerability using Microsoft’s Visual Studio Code GitHub repository, where he was able to inject code which was then passed to the project’s new issue workflow.

The flaws in Actions continue to provide ways for cybercriminals to exploit the GitHub infrastructure. In the latest twist to code injection flaws and vulnerabilities in GitHub Actions, crypto-criminals have taken to GitHub to insert bit mining malware. The attacks have been happening since at least November 2020. The attack targets repositories running Actions, using the automatic execution of software workflows feature to insert malicious code into a software workflow. The process used by the hackers is slick: the malicious GitHub Actions code is initially forked from original workflows, but then a Pull Request merges the code back, along with the crypto miner code. The key to the attack uses GitHub’s infrastructure to spread malware and mine cryptocurrency on GitHub’s servers. The vulnerability in Actions means that the attack does not require the repository owner to approve the Pull Request: The crypto-miner code, misnamed as npm.exe. is hosted on GitHub. The whole attack scenario is well thought through with a mechanism that has, so far, made a mockery of the critical infrastructure of GitHub.

Getting Into the Thick Of Critical IT

The concern inherent in this recent crypto mining attack on GitHub repositories, is that the cybercriminal is, yet again, using the inherent infrastructure of a system. Any gap in the corporate armor is exploitable. Battening down these infrastructure hatches is crucial to preventing cyber-attacks. Source code is a critical system and GitHub a critical infrastructure. Companies and vendors using GitHub should ensure they use best security practices. But even organizations not using GitHub as a source code repository may well be receiving source code hosted via GitHub. To reduce the possibility that your organization becomes a victim of malware you should employ Cyber Security best practices. People, processes, and technology are the tenets of cyber best practices, but adding in awareness of potential infrastructure hacks is vital to keeping your business cyber-safe.

Read Guide: Data Breach Prevention - How Companies Get Hacked!

Take the following actions to prevent cyberattacks:

  • Keeping employees from navigating to infected websites
  • Preventing staff from clicking malicious links or downloading malicious attachments
  • Making staff aware of security tricks and tactics with security training
  • Using GitHub security best practices when using the infrastructure to host source code

WebTitan Cloud DNS filter blocks malware, phishing, viruses, ransomware & malicious sites. Ensure your employees don’t navigate to malicious sites or download malicious attachments. Discover how WebTitan Cloud works and see how it can prevent your organisation from being hacked. View Demo.

Related Articles

Never Miss a Blog Post

Sign-up for email updates...

Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us