Hackers Use GitHub Codespaces Feature To Host And Deliver Malware

Researchers at Trend Micro have demonstrated recently that malicious scripts and malware can be stored and distributed in through port forwarding.

GitHub Codespaces makes it easy for developers to set up a workspace quickly and get started coding in minutes using a web browser.

It makes it easier to start a project and reduces switching between development environments.

Malware server hosted on GitHub Codespaces

GitHub Codespaces provides developers cloud-hosted environments for development that can be configured quickly and easily.

They are therefore a target for hackers who could use them to set up malware web servers that can distribute malicious software and other content, without being detected.

This scenario was demonstrated by to configure a Codespace as a webserver to deliver malicious files and links. Security systems would find it difficult to identify because traffic from the Codespace would look legitimate.

GitHub Codespaces allows developers the ability to manage cloud development environments directly through the GitHub platform. Codespaces allows developers to send over to the public Internet.

Developers can now make applications that run on Codespace accessible to other users by forwarding an appropriate port from Codespace to public internet.

This can be used to create a test environment and make applications available to other users. The URL can be configured as private so that it is only accessible to a specific person, but public ports can be accessed by anyone who has the URL.

There is an authentication requirement that provides security. This makes the difference between private and public port forwards. Private port forwards are more secure because they limit access to those with the token or cookies only, while public ports forwards can be accessed by anyone who has the URL.

These are some possible attacks that an attacker might take in theory.

• Run a simple Python web server
• You can upload malicious code or malware to your Codespace
• On their VM, open a port for a webserver
• Give it public visibility

You have the choice to change the Codespaces port forwarding system from HTTP to . It will give the impression that your URL is safe from hackers.

The safe nature of GitHub makes it possible for threat actors to evade detection with minimal effort. Antivirus tools will not raise alarms about GitHub, which is a trusted space.

Increase the Intensity of Attack

Trend Micro Analysts can also use the GitHub Codespaces Dev Containers to increase their malware distribution.

Developers can use this tool to quickly deploy, share with others and connect to a VCS. An attacker may use a script to do many things, such as:

• Forward a port
• Run a Python HTTP server
• You can download malicious files from their Codespace

When the port visibility is made public, a web server is now created with malicious files in an open directory.

Because GitHub has a policy of automatically deleting inactive codespaces within 30 days, an attacker could use the same URL throughout a month. GitHub has committed to investigate security flaws reported by users.

This report was reported to the company. They plan to include a prompt asking users to verify their trust in the owners when they connect to codespaces.

Recommendations

Below are some security best practices IT and security personnel can use to protect this platform from future attacks.

• Trusted code sources such as extensions like VSCode Extensions and GitHub repositories should be used whenever possible.
• Developers must be familiar with the source code they are using and take care when working with it.
• The Devcontainer is built upon container images. These should be recognised and maintained according to the requirements.
• You should use strong passwords for GitHub.
• Two-factor authentication is an excellent way to improve your account’s security.
• It is important to not disclose secrets or credentials to the public in order to prevent credential leaks.

Network Security Checklist