Attackers could start abusing GitHub Codespaces, a new service that allows developers to create and test applications inside development containers running on GitHub’s servers. Developers can make their applications accessible via public GitHub URLs for preview by others, a functionality that can be abused to distribute malware payloads in a stealthy way.
“If the application port is shared privately, browser cookies are used and required for authentication,” researchers from security firm Trend Micro said in a new report. “However, if ports are shared with the public (that is, without authentication or authentication context), attackers can abuse this feature to host malicious content such as scripts and malware samples.”
GitHub Codespaces and port forwarding
Codespaces is a cloud-based integrated development environment (IDE) that can be used to write and run code directly inside a web-based interface instead of using a locally hosted environment, which can take a lot of time to configure. Developers can use dev containers preconfigured with all the tools, libraries, and programming runtimes they need for their code to run and then execute this container on GitHub’s cloud and control it the GitHub CLI.
Dev containers will be executed automatically if they’re uploaded to a user’s repository with an accompanying configuration file. This provides a lot of flexibility and automation possibilities compared to traditional setups and GitHub offers 60 hours/month for free on a two-core VM.
Every Codespaces environment lives in its own VM and has an isolated virtual network. However, developers can choose to use a feature called port forwarding to share preview links to their applications with other members of their organization or publicly.
For example, if the user forwards an internal application on port 8080, the service will generate a unique URL of the form <GitHub_Username>-<codespace_name>-<random_identifier>-<exposed_port>.preview.app.github.dev. This is essentially a unique subdomain on the preview.app.github.dev domain.
Abusing the dev containers
Even though container images come preconfigured, users can execute commands inside them using the GitHub CLI. In a demonstration, researchers from Trend Micro used a dev container image maintained by Microsoft and wrote a configuration that opened a simple HTTP server using the Python runtime which is included by default and forwarded port 8000 publicly.
Additionally, they used the GitHub CLI to authenticate to the container and execute two simple commands that downloaded an archive containing malware from an external URL and then unpacked it locally in the directory served by the Python-based web server. In essence, this created an open directory with malware files accessible via a preview.app.github.dev URL.
The researchers automated the whole process via a script and set it to delete the Codespace after 100 seconds or after the URL is accessed. This can allow malware droppers on a local machine to spin up temporary Codespaces on the fly and download additional payloads from them. Downloading files from a GitHub-owned domain that has a good reputation and is associated with a service that could be used inside the victim’s environment is less likely to be blocked or flagged by network security gateways.
“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their Codespace environments,” the researchers said. “Since each created Codespace has a unique identifier to it, the subdomain associated is unique as well. This gives the attacker enough ground to create different instances of open directories. Additionally, Codespaces can be retained for a maximum of 30 days, which implies that attackers can use the same URL for their operations in the said duration.”
Abusing legitimate cloud services providers to host malware is not new. However, the cost barrier for abuse seems lower for GitHub Codespaces compared to other cloud service providers such as Amazon Web Services, Microsoft Azure, or the Google Cloud Platform, which typically require registering with a valid credit card even for their free trials.
Moreover, attackers have abused GitHub’s cloud computing resources before. According to a recent report from Palo Alto Networks, a group dubbed Automated Libra created over 130,000 accounts on GitHub, Heroku, and Togglebox since October to use their free services and trials for cryptomining. For GitHub in particular the group fully automated the account creation process, complete with a CAPTCHA solving script.
“Cloud services offer advantages to legitimate users and attackers alike,” the Trend Micro researchers said. “It helps attackers scale their attacks quickly and easily, hide their tracks, and avoid detection by abusing legitimate services like GitHub Codespaces.”
Copyright © 2023 IDG Communications, Inc.
