In October 2020, Juniper Threat Labs, the cybersecurity research group of the industry leading router manufacturer, first discovered a malware worm that used GitHub and Pastebin as the delivery mechanisms for a botnet. Named Gitpaste-12 by the research group because of the usage of both GitHub and Pastebin as well as the 12 different attack modules included within the malware. The malicious software attempted to use known exploits to compromise systems including brute force password attacks. Once a system has been compromised, the malware downloaded further exploits from Pastebin and GitHub. Afterwards, since it is designed to be a worm, Gitpaste-12 tried to spread itself to other computers throughout the network.

CrowdStrike, in September 2022, uncovered a sophisticated and complex malware campaign that utilized GitHub as a watering hole – a commonly visited web site that can be used to infect victims’ computers. This type of attack didn’t require the more typical initial methods such as phishing emails or compromised credentials. Rather the attack detected by CrowdStrike leveraged a misconfiguration in GitHub repositories. The malware was able to execute code and gain access to multiple victims across thousands of hosts worldwide.

GitHub was launched in 2008 and has become the definitive Internet hosting service for collaborative software development and version control using Git. The open-source Git is a distributed version control system used to coordinate the development of software among multiple programmers. GitHub hosts source code in repositories that can either be public or private for access. GitHub reported as of January 2023, the milestone of 100 million developers using the online collaboration platform had been reached. Microsoft acquired GitHub in 2018.

Besides the capability of deploying malware from its repositories, GitHub also hosts otherwise legitimate code which a company insider could potentially use to inflict damage or exfiltrate data from their employer. The same goes for a bad guy and the concept of living off the land. A malicious attacker who has already gained access to an information technology environment might download legitimate source code from GitHub to evade detection but use it to further their exploits within an organization. Endpoint security solutions and the threat hunting work of cybersecurity analysts often fail to find legitimate software being used for malicious purposes in situations such as this type of attack scenario.

Should your organization block GitHub? No, but to implement a more secure information technology environment, GitHub should be blocked from all users and network segments that do not explicitly need access to the online repositories. Network segments for such things as printers, Internet-of-things (IoT) devices, and users’ computers do not need access to GitHub. In a typical enterprise company, only developers plus potentially other information technology employees need access to GitHub repositories. Development activities should be confined to defined segments as well. A secure network should already have a level of network segmentation in place and restricting GitHub should just be an additional use case. To control connectivity to the online platform, simply restrict access with firewalls and web proxies to the GitHub domains and IP addresses. It is best to limit access to GitHub within your organization to lessen the risk posed by the easy availability of a ginormous repository of source code.

Subscribe to our threat data feeds. Oviedo Networks can provide a list of GitHub IP addresses as part of our customizable threat data subscription. Contact us to get the latest indicators of compromise automatically downloaded to your SIEM, firewall, or IDS to defend against advanced cyberattacks.