GitHub

Researchers have demonstrated how threat actors can abuse the GitHub Codespaces’ port forwarding’ feature to host and distribute malware and malicious scripts.

GitHub Codespaces allows developers to deploy cloud-hosted IDE platforms in virtualized containers to write, edit, and test/run code directly within a web browser.

Since it became widely available in November 2022, GitHub Codespaces has become a popular choice among developers who prefer it for its pre-configured, container-based environment equipped with all the necessary tools and dependencies needed for their projects.

Using GitHub Codespaces as a malware server

In a new report by Trend Micro, researchers demonstrate how GitHub Codespaces can easily be configured to act as a web server for distributing malicious content while potentially avoiding detection as the traffic comes from Microsoft.

GitHub Codespaces allows developers to forward TCP ports to the public so external users can test or view the applications.

When forwarding ports in a Codespace VM, the GitHub feature will generate an URL to access the app running on that port, which can be configured as either private or public.

A private port forward requires authentication in the form of a token or cookies to access the URL. However, a public port is accessible to anyone who knows the URL without requiring authentication.

Port visibility setting on Codespaces
Port visibility setting on Codespaces
Source: Trend Micro

This GitHub feature gives developers flexibility in code demonstrations, but Trend Micro says attackers today can easily abuse it to host malware on the platform.

Theoretically, an attacker could run a simple Python web server, upload malicious scripts or malware to their Codespace, open a web server port on their VM, and assign it “public” visibility.

The generated URL can then be used to access the hosted files, whether for phishing campaigns or to host malicious executables downloaded by other malware.

This is precisely how threat actors abuse other trustworthy services such as Google Cloud, Amazon AWS, and Microsoft Azure for malware distribution campaigns.

“To validate our hypothesis of threat modeling abuse scenario, we ran a Python-based HTTP server on port 8080, forwarded and exposed the port publicly,” reads the Trend Micro report.

“In the process, we easily found the URL and the absence of cookies for authentication.”

The analysts say that while HTTP is used by default in the Codespaces port-forwarding system, developers can set it to HTTPS, increasing the illusion of security for the URL.

Because GitHub is a trusted space, antivirus tools are less likely to raise alarms so that the threat actors can evade detection at a minimal cost.

Codespaces abuse attack diagram
Codespaces abuse attack diagram (Trend Micro)

Furthering the attack

Trend Micro analysts also explore abusing Dev Containers in GitHub Codespaces to make their malware distribution operations more efficient.

A “dev container” in GitHub Codespaces is a pre-configured container that contains all the necessary dependencies and tools for a specific project. Developers can use it for quick deployment, share it with others, or connect via VCS.

An attacker can use a script to forward a port, run a Python HTTP server, and download malicious files inside their Codespace.

Next, the port’s visibility is set to public, which creates a webserver with an open directory that serves malicious files to targets.

Trend Micro created a proof of concept (PoC) for this, using a 100-second delay after the URL is accessed before the web server is deleted.

BleepingComputer was able to replicate the creation of a “malicious” webserver using Codespaces in less than 10 minutes, with zero experience with the feature.

Creating a webserver with an open directory
Running a web server on a GitHub Codespaces VM
Source: BleepingComputer

“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created Codespace has a unique identifier, the subdomain associated is unique as well,” explains Trend Micro in the report.

“This gives the attacker enough ground to create different instances of open directories.”

GitHub’s policy is that inactive codespaces are automatically deleted after 30 days, so attackers can use the same URL for an entire month.

While there is no known abuse of GitHub Codespaces at this time, the report highlights a realistic possibility, as threat actors generally prefer to target “free to use” platforms that are also trusted by security products.

BleepingComputer has contacted GitHub to comment on Trend Micro’s report, but we are still waiting for a response.


Update 1/18 – A GitHub spokesperson has sent BleepingComputer the following comment on the above:

GitHub is committed to investigating reported security issues. We are aware of this report and plan to add a prompt to users to validate that they trust the owner when connecting to a codespace.

We recommend users of GitHub Codespaces follow our guidelines to maintain security and minimize risk of their development environment.

Source: www.bleepingcomputer.com