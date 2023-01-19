A new research disclosed that it is possible for malicious hackers to abuse a legitimate feature in GitHub, the feature that matches the name Codespaces to deliver malware to victim systems.

What is this GitHub “Codespaces” feature basically?

GitHub Codespaces is a cloud-based, configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or through an integration into Visual Studio Code.

In practice, Codespaces is used to program and “fix” what the developer has already put inside, to understand each other.

It also comes with a function of port forwarding which allows you to access a web application running on a particular port within the codespace directly from the browser on a local machine for, as already mentioned, testing and debugging purposes.

“You can also manually submit a bringslabel forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, and add forwarded ports to your codespace configuration“explains GitHub in the its documentation.

It’s important to declare that any forwarded port made public will also allow anyone with knowledge of the URL and port number, to view the running application without any authentication.

Additionally, GitHub Codespaces uses the HTTP web protocol for port forwarding; if the port is, for example, publicly visible it is then updated by some attacker to then use HTTPS or even be removed and perhaps added again, it is possible to make this port invisible or even private.

Cybersecurity company Trend Micro has discovery that such publicly shared forwarded ports could be exploited to create a malicious file server using a GitHub account.

“In the process, these environments [che sono stati] abused will not be marked as malicious or suspicious even if they serve malicious content (such as scripts, malware, and ransomware, among other things), and the [varie] organizations may consider these events to be benign or false positive“, so the researchers Nitesh Surana and Magno Logan expressed themselves in this regard.

In a proof-of-concept (PoC) exploit demonstrated by Trend Micro, an unknown threat actor could create a codespace and download malware from a domain they control to the GitHub environment in question (via Codespaces, per memo) and set the visibility of the forwarded port to the public, essentially turning the application to act as a web server hosting rogue payloads.

Even more concerning is the fact that our hypothetical attacker can also “augment” this method to distribute malware and compromise a victim’s development environment (and consequently devices) since each codespace domain associated with the exposed port is unique and it is unlikely to be flagged by security tools as a malicious domain.

“Using such scripts, attackers [informatici] can easily abuse GitHub Codespaces into serving malicious content at a rapid rate by publicly exposing the ports on their codespace environments“explained the researchers.

While the technique has yet to be observed in the development environment in question, the results tell us how these mysterious characters could make cloud platforms very dangerous, turning it into a sort of bunker for their own advantage, to subsequently carry out a series of illicit activities.

“Cloud services benefit both legitimate users and malicious users“, concluded the researchers. “Features offered to legitimate subscribers also become available to malicious actors as they exploit the resources provided by the [fornitore di servizi cloud].“