Malicious actors can abuse GitHub and other services that host Git repositories for stealthy attacks aimed at software developers, experts showed recently at the Black Hat security conference in Las Vegas.
Clint Gibler, security researcher at NCC Group, and Noah Beddome, security researcher and Director of Infrastructure Security at Datadog, have been testing the systems of organizations involved in software development and noticed that a key point of security failure in many cases was introduced by improperly managed or improperly understood trust relationships.
An in-depth analysis of the trust relationships between an organization, its developers, platforms and code revealed a series of security holes that can be exploited to evade the target’s defenses and gain persistent access to its systems.
Development-focused environments consist of workstations, general users, local and remote developers, version control systems, code repositories, continuous integration systems, and staging and production systems.
Gibler and Beddome showed that the trust relationships between these components, particularly in Agile software development environments, can introduce serious security risks if not managed properly. Furthermore, the experts warned that organizations can often introduce unintended levels of trust relationships – for example, removing security controls to get the job done faster and meet deadlines.
In order to demonstrate how these trust relationships can be abused, Gibler and Beddome created a penetration testing tool named GitPwnd. GitPwnd allows attackers to communicate with compromised devices via Git repositories, which store software history data.
Commands are sent to the hacked machine via the Git repository and the response is received over the same transport layer, making it less likely for the victim to notice the malicious traffic, which is disguised as operations that would normally be performed by a developer. GitPwnd uses GitHub to host the attacker’s Git repo, but the researchers pointed out that other services, such as BitBucket or GitLab, work just as well.
The attacker can create a copy of a popular repository to make communications as inconspicuous as possible. In order to further disguise the malicious traffic as normal user workflow, an attacker can abuse Git hooks, scripts that run automatically when a developer runs Git commands in a repo directory. And since hooks are not under version control, modifications made to them are not shown when using Git to determine local file changes, making the malicious code more difficult to detect.
Once the attacker gains access to the victim’s systems, via spear-phishing or other methods, GitPwnd can automate this entire process. The hacker can then run arbitrary Python commands on compromised machines to silently steal information and complete other tasks.
GitPwnd is open source and available on GitHub. While malicious actors could abuse it, the researchers told SecurityWeek that it still takes a skilled attacker to use the tool effectively. Moreover, the tool is designed to be “noisy” on purpose in certain aspects to discourage abuse.
Attacks on software developers are not unheard of. A few months ago, security firms ESET and Palo Alto Networks reported that a threat group that had been targeting open source developers, particularly ones using GitHub, managed to stay under the radar for over three years.
As for abusing GitHub itself, the China-linked threat group known as Winnti has leveraged the service to obtain the IP address and port number of C&C servers used in attacks aimed at organizations in Southeast Asia.