GitHub滥用：威胁行为者的新玩法

The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolvers, command-and-control, and data exfiltration points.

GitHub在信息技术（IT）环境中的普及使其成为威胁行为者托管和传送恶意载荷并充当死信解析器、指挥和控制以及数据外泄点的有利选择。

"Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult," Recorded Future said in a report shared with The Hacker News.

录得未来在与黑客新闻分享的一份报告中称：“利用GitHub服务进行恶意基础设施允许对手隐匿在合法的网络流量中，往往绕过传统的安全防御措施，使上游基础设施追踪和行为者归因变得更加困难”。

The cybersecurity firm described the approach as "living-off-trusted-sites" (LOTS), a spin on the living-off-the-land (LotL) techniques often adopted by threat actors to conceal rogue activity and fly under the radar.

这家网络安全公司将这种方法描述为“依靠信任站点生存”（LOTS），这是对威胁行为者常常采用的“依靠陆地生存”（LotL）技术的一种衍生，旨在掩盖恶意活动并低调行事。

Prominent among the methods by which GitHub is abused relates to payload delivery, with some actors leveraging its features for command-and-control (C2) obfuscation. Last month, ReversingLabs detailed a number of rogue Python packages that relied on a secret gist hosted on GitHub to receive malicious commands on the compromised hosts.

占Github滥用的主要方法之一与载荷传送有关，有些威胁行为者利用其功能来进行指挥和控制（C2）混淆。上个月，ReversingLabs详细描述了一些恶意Python包，这些包依赖于GitHub上托管的秘密Gist，在受感染的主机上接收恶意命令。

While full-fledged C2 implementations in GitHub are uncommon in comparison to other infrastructure schemes, its use by threat actors as a dead drop resolver – wherein the information from an actor-controlled GitHub repository is used to obtain the actual C2 URL – is a lot more prevalent, as evidenced in the case of malware like Drokbk and ShellBox.

与其他基础设施方案相比，Github中具有完整的C2实现是罕见的，但威胁行为者将其用作死信解析器的情况则更为常见——其中，来自行为者控制的GitHub存储库的信息用于获取实际的C2 URL—正如恶意软件Drokbk和ShellBox中所证实的那样。

Also rarely observed is the abuse of GitHub for data exfiltration, which, per Recorded Future, is likely due to file size and storage limitations and concerns around discoverability.

还很少观察到GitHub用于数据外泄的滥用，这很可能是由于文件大小和存储限制以及可发现性的担忧所致。

Outside of these four main schemes, the platform's offerings are put to use in various other ways in order to meet infrastructure-related purposes. For instance, GitHub Pages have been used as phishing hosts or traffic redirectors, with some campaigns utilizing a GitHub repository as a backup C2 channel.

除了这四种主要方案外，该平台的功能还以各种其他方式被用来满足基础设施相关的目的。例如，GitHub页面已被用作网络钓鱼主机或流量重定向器，一些活动使用GitHub存储库作为备用C2通道。

The development speaks to the broader trend of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord being exploited by threat actors. This also includes other source code and version control platforms like GitLab, BitBucket, and Codeberg.

这种发展反映了示例的趋势，即像谷歌云端硬盘、微软OneDrive、Dropbox、Notion、Firebase、Trello和Discord等合法的互联网服务被威胁行为者利用。这还包括其他源代码和版本控制平台，如GitLab、BitBucket和Codeberg。

"There is no universal solution for GitHub abuse detection," the company said. "A mix of detection strategies is needed, influenced by specific environments and factors such as the availability of logs, organizational structure, service usage patterns, and risk tolerance, among others."

公司表示：“GitHub滥用检测没有通用解决方案，需要采用一系列检测策略，受特定环境和因素的影响，如日志的可用性、组织结构、服务使用模式和风险容忍度等”。

原文始发于微信公众号（知机安全）：GitHub滥用：威胁行为者的新玩法