Hackers Exploit GitHub and GitLab Platforms to Distribute Malware

October 9, 2024

Software development and collaboration platforms like GitHub and GitLab are increasingly being used by cybercriminals for malicious activities. These platforms have become both targets and vehicles for a range of malicious actions. A recent campaign involves distributing malware via legitimate GitHub repositories and exploiting a vulnerability that allows an attacker to gain access to any GitLab user.

The campaign involves a threat actor directing targeted victims in the insurance and finance sectors to malware hosted on trusted GitHub repositories. The attacker sends tax-themed phishing emails containing a link to a password-protected archive containing Remcos, a remote access Trojan used by cybercriminals and state-backed groups for cyber-espionage and data theft.

According to Cofense, what makes the campaign notable is the threat actor's ability to sneak archive files containing the Remcos RAT into legitimate GitHub repositories belonging to trusted entities. These include His Majesty’s Revenue & Customs (HMRC), the UK's national tax authority; New Zealand's InlandRevenue; and UsTaxes, an open source tax-filing platform. The attacker uses GitHub comments to upload a malicious file containing Remcos RAT to the repositories of these entities.

'GitHub comments are useful to a threat actor because malware can be attached to a comment in a GitHub repository without having to upload it to the source code files of that repository,' Cofense security researcher Jacob Malimban wrote in a blog post.

The new exploit for GitLab targets a critical authentication bypass vulnerability (CVE-2024-45409) affecting the Ruby-SAML and OmniAuth-SAML libraries that GitLab uses to enable SAML-based single sign-on. The exploit script allows attackers to abuse the vulnerability to access GitLab as any user. The vulnerability affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) below 16.11.10, and multiple 17.x.x versions of GitLab.

Over the past year, there have been multiple instances of attacks targeting repositories on GitHub and GitLab, indicating growing interest in these platforms from researchers and threat actors. For example, a cyber-extortion attack was reported by Chilean cybersecurity firm CronUp in June, and another involved the use of ghost accounts on GitHub to distribute malware. GitLab users have also had to deal with several security scares, including CVE-2024-45409 and two other recent vulnerabilities (CVE-2024-6385 and CVE-2024-5655) that posed a significant threat to the integrity of CI/CD pipelines.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.