Microsoft's GitHub is being abused by hackers and ransomware groups. But can it be fixed?

Generated by ChatGPT | image of a computer being hacked
GitHub is being used for living-of-trusted-sites attacks by threat actors. (Image credit: ChatGPT)

What you need to know

  • Advanced persistent threats (APTs) are always looking for ways to blend in with normal activity.
  • By utilizing Microsoft's GitHub, a known good platform, to host malware or command and control techniques, APTs are finding more success.
  • The Insikt Group, Recorded Future's threat research division, published a report on the increased malicious activity taking place through GitHub.
  • While Microsoft is looking for every way to make money on Copilot, cleaning up GitHub would be an actual good use case that an LLM could likely achieve. 

With CES wrapping up, the entire corporate world is focused on AI and how it can make these corporations more money. There have been a lot of promises about how AI can facilitate a safer digital world, but I have yet to see much fruit from such talk. The Insikt group, the threat research team of Recorded Future, released a report today discussing how GitHub is increasingly used for malicious infrastructure by threat actors and Advanced Persistent Threats (APTs.)

This issue in and of itself is a problem and worthy of news, but it seems to me that this is the perfect opportunity for Microsoft to show the world what it can do. It reminds me of the cheating epidemic in games like Activision's Call of Duty Warzone. Activision had to make a bespoke machine-driven anti-cheat system called Ricochet, which repeatedly bans thousands of cheaters. Similarly, Microsoft should be looking to use Copilot to intelligently inspect, analyze, and verify every single piece of code uploaded to the extremely popular site GitHub, which it acquired in 2018. 

How are hackers abusing GitHub?

Microsoft is working on fixing its many cybersecurity woes. While hackers have been 'living off the land' in Windows for years, meaning using the programs and executables available on the operating system they gain initial access to, they are now finding similar success using trusted sites. Coined by The Insikt Group in their report, 'living off trusted sites' is similar to the well-known cybersecurity term 'living off the land.' Using trusted sites, these threat groups can bypass most enterprise controls and blend in with regular traffic, significantly increasing their effectiveness and anti-detection capabilities. 

If you're looking for an in-depth analysis of the GitHub issue and its prevalence, feel free to check out the Insikt Groups full report, but we have you covered for the cliff notes version. Sophisticated hackers, also called APTs, use GitHub for several essential infrastructure necessities to achieve an attack chain on a target. 

GitHub's services are abused both by cybercriminals and advanced persistent threats (APTs) for a wide range of malicious infrastructure schemes, including payload delivery, DDR, exfiltration, command-and-control (C2), and other purposes (such as phishing).

Insikt Group

As the Insikt Group explains, threat actors are using GitHub to deliver payloads, meaning once they get initial access to a target machine, they will typically run a script to download a malicious payload to the host. This is the most common use case for GitHub, but some APTs are using it for C2, meaning they are sending and receiving commands from GitHub repositories and exfiltrating data to GitHub in some cases. 

The Insikt Group explains why GitHub is such a threat and so effective for threat groups as a delivery mechanism for their attacks. These are some of the advantages that GitHub gives to attackers. 

  • No blocking of GitHub domains in most corporate networks, given its popularity among businesses and the fact that many of them rely on it. 
  • Reduced operational overhead by simplifying the overall C2 server installation process by utilizing publicly endorsed TLS encryption. 
  • Widespread practical experience with GitHub among malware developers, given its legitimate use cases beyond malicious activities. 
  • Lower infrastructure costs by saving on typical hosting or registration fees. 
  • High uptime as GitHub is designed to be highly available, with redundant servers and failover mechanisms.
  • Minimal vetting to register new accounts on GitHub (for example, the absence of a requirement for a credit card during registration represents significant cost savings for sophisticated APTs, as creating untraceable financing and payment methods is time-consuming and introduces unnecessary complexity.) 
  • Limited detection possibilities for service providers (especially with respect to human-controlled accounts.) 
  • Tracing a threat actor upstream or identifying victims becomes more challenging when the threat actor uses an LIS. More specifically, if tracking efforts hinge on network traffic analysis, encountering an LIS becomes a major obstacle, making it difficult to distinguish malicious traffic from legitimate traffic, resulting in a virtual dead end in the investigation.
  • Limited availability of tooling for threat modeling and little actionable threat intelligence specific to such infrastructure setups.

In my opinion, this is a pretty big black eye for Microsoft. People are comparing GitHub to Pastebin because of how insecure the site seems. Microsoft, of course, has integrated Copilot into GitHub. Still, I believe there should be a more significant focus on cleaning up the site before trying to integrate end-user AI solutions.

How Microsoft can use AI to clean up GitHub

While LLMs and AI generally have not mastered everything perfectly yet, it seems universally agreed that they have a good handle on coding and programming. ChatGPT helped code a game and was pretty adept at following instructions. That being said, it should be possible to use Copilot as a sort of content filter. Like how YouTube checks for inappropriate content, it should be able to run every piece of code uploaded to its platform in a virtual sandbox and analyze what the code is doing. If the code looks suspicious, it should be flagged for manual human review. 

Recorded Future shows how GitHub has been used maliciously in a real-world scenario. It is fascinating to see how Zscaler tracked a North Korean threat group's GitHub as they hosted malicious files on it and targeted several South Korean industries.

Overall, it's time for Microsoft to use Copilot/AI for improvements to its subsidiaries instead of constantly pushing consumer-focused solutions. It would take a significant workforce to clean up GitHub, which is likely why Microsoft has been so slow to do so, but with the help of AI, the task should be more manageable. 

Can Microsoft ever solve its security problems?

Microsoft is rolling out Security Copilot and has data that it is helping cybersecurity defenders perform better; however, as with so many things with Microsoft, this depends on the customer doing the work, and Microsoft is keeping a hands-off approach. 

Microsoft is known for not investing a lot in things like customer service, and that mentality seems to have rolled over to cybersecurity. Sure, they have engineers to keep things up and running, and they work to push updates for Patch Tuesday, but so much of what they do seems to be reactionary. With the tidal wave of AI integration into everything technology, it is the perfect time for Microsoft to start backing up its words and securing itself before looking outward to other enterprises. 

Something that doesn't seem to be changing throughout this news is that there is and will continue to be a need for human analysts and engineers on the frontlines to defend corporations from these malicious actors. If you are interested, check out our guide on how to get started in cybersecurity.

While Microsoft was responsible for leaking its plans for Xbox over the next several years, Sony's Insomniac was recently breached by a sophisticated threat group, and the damage done from that leak is hard to quantify. Suppose Microsoft can't keep its own house in order. In that case, it will be more difficult, as a company that sells cybersecurity solutions, to protect the enterprise clients that use Defender and other Microsoft security products. Suppose Microsoft can shore up its holes and weaknesses by hardening its OS, Servers, and subsidiaries like GitHub. In that case, it will drastically decrease the number of successful breaches worldwide, which is a win-win for everybody involved. 

What do you think about GitHub being used so successfully by hackers? Can Microsoft use AI to help moderate the code being uploaded to GitHub? Let us know what you think in the comments.

Colton Stradling

Colton is a seasoned cybersecurity professional that wants to share his love of technology with the Windows Central audience. When he isn’t assisting in defending companies from the newest zero-days or sharing his thoughts through his articles, he loves to spend time with his family and play video games on PC and Xbox. Colton focuses on buying guides, PCs, and devices and is always happy to have a conversation about emerging tech and gaming news.