Security research organizations recently reported how threat actors were abusing GitHub flaws to push malware while making it appear to be hosted on an official source code repository from a trusted organization.
While most malware-related activity is based on Microsoft GitHub URLs, this “flaw” could be abused by any public repository on GitHub or GitLab, allowing threat actors to create very convincing lures.
GitLab comments can also be abused to push malware
For example, the following URLs used in the attack make it appear that these ZIPs reside in Microsoft's source code repository:
https://github(.)com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https://github(.)com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
However, upon investigation, these files (which belong to the malware) were not found in Microsoft's code repository.
Instead, the content resides on GitHub's CDN and was likely uploaded by threat actors abusing the platform's “comments” feature.
When leaving a comment on a commit or pull request, GitHub users can attach a file (archive, document, etc.) which will be uploaded to GitHub's CDN and associated with the related project using a unique URL in the following format: ' https: // www.github.com/{project_user}/{repo_name}/files/{file_id}/{file_name}. '
For videos and images, the files will be stored under the /assets/ path.
GitHub automatically generates a download link after a user adds a file to an unsaved comment, rather than generating the URL after posting the comment, as shown below. This allows threat actors to attach their malware to any repository without the user's knowledge.
Automatically generated download link source when adding files to comments
Even if the comment is never actually posted or is later deleted by the user (or attacker), the link to the file will still work.
Sergei Frankoff of UNPACME, an automated malware analysis service, paid attention to the vulnerability last month and said that threat actors are actively abusing the vulnerability.
In addition, GitLab is not immune to this problem, and users can abuse the “comments” function on GitLab in a similar way.
In testing, users were able to upload files to GitLab's CDN, but it appeared that the files existed in the GitLab repositories of popular open source projects such as Inkscape and Wireshark:
https://gitlab(.)com/inkscape/inkscape/uploads/edfdbc997689255568a7c81db3f3dc51/InkScape-2024-Latest.exe
https://gitlab(.)com/wireshark/wireshark/uploads/b4162053fbb4dc6ee4f673c532009e16/WireShark-v4.2.4-stable-release.exe
The file used in the test is a benign JPG image that has been renamed to .exe to demonstrate how threat actors can abuse this feature to mislead users into downloading fake versions of software with malware.
Such files uploaded to GitLab CDN follow the format:
https://gitlab.com/{project_group_namr}/{repo_name}/uploads/{file_id}/{file_name}
The file_id here looks like an MD4 or MD5 hash, rather than a simpler numeric identifier.
Automatically generated download link when adding files to GitLab comments
Much like GitHub, the resulting GitLab file link will remain active even if the attacker never posts the comment or later deletes the comment.
GitLab does prompt users to log in before they can upload or download these files, but that doesn't stop threat actors from uploading these files.
Since almost every software company uses GitHub or GitLab, this flaw allows threat actors to develop extremely sophisticated and seemingly trustworthy decoys.
For example, a threat actor could upload a malware executable to NVIDIA's driver installer repository that pretends to be a new driver that fixes an issue in a popular game. Alternatively, a threat actor could upload a file in a comment on the Google Chromium source code and pretend it is a new beta version of the web browser.
These URLs also appear to belong to the company's repositories, which makes them appear more authentic. Even if companies learn that their repositories are being abused to spread malware, they can't find any settings that allow them to manage or delete files attached to their projects.
References and sources:
https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-style-cdn-flaw-allowing-malware-hosting/
GIPHY App Key not set. Please check settings