430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Security experts targeted with malicious CVE PoC exploits on GitHub

Researchers discovered thousands of GitHub repositories that offer fake proof-of-concept (PoC) exploits for various flaws used to distribute malware. A team of researchers at the Leiden Institute of Advanced Computer Science (Soufian El Yadmani, Robin The, Olga Gadyatskaya) discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for multiple vulnerabilities. The experts analyzed PoCs shared on […]

GitHub malicious repositories PoC exploits

Researchers discovered thousands of GitHub repositories that offer fake proof-of-concept (PoC) exploits for various flaws used to distribute malware.

A team of researchers at the Leiden Institute of Advanced Computer Science (Soufian El YadmaniRobin TheOlga Gadyatskaya) discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for multiple vulnerabilities.

The experts analyzed PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021, some of these repositories were used by threat actors to spread malware.

The experts pointed out that public code repositories do not provide any guarantees that any given PoC comes from a trustworthy source.

“We discovered that not all PoCs are trustworthy. Some proof-of-concepts are fake (i.e., they do not actually offer PoC functionality), or even malicious: e.g., they attempt to exfiltrate data from the system they are being run on, or they try to install malware on this system.” reads the research paper published by the experts.

The team focused on a set of symptoms observed in the collected dataset, such as calls to malicious IP addresses, encoded malicious code, or included Trojanized binaries. The boffins analyzed 47313 repositories and 4893 of them were malicious repositories (i.e. 10.3% of the studied repositories have symptoms of malicious intent).

“This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.” continues the paper.

GitHub malicious repositories PoC exploits

The researchers analyzed a total of 358277 IP addresses, 150734 of them were unique IPs and 2864 were blacklisted. 1,522 IP addressed were labeled as malicious by Virus Total, and 1,069 of them were listed in the AbuseIPDB database.

Of the 150,734 unique IPs extracted, 2,864 matched blacklist entries. 1522 were detected as malicious in AV scans on Virus Total, and 1069 were present in the AbuseIPDB database.

Most of the malicious detections are related to vulnerabilities from 2020.

During their research the experts found multiple examples of malicious PoC developed for CVEs and shared some case studies.

One of the examples is related to a PoC developed for the CVE-2019-0708, also known as BlueKeep.

“This repository was created by a user under the name Elkhazrajy. The source code contains a base64 line that once decoded will be running. It contains another Python script with a link to Pastebin28 that will be saved as a VBScript, then run by the first exec command. After investigating the VBScript we discovered that it contains the Houdini malware.” continues the paper.

Another example detailed by the experts is related to a malicious PoC designed to gather info about the target. In this case the URL to the server used for data exfiltration was base64-encoded.

The boffins explained that their study has several limitations. For example the GitHub API proved unreliable and not all repositories corresponding to the used CVE IDs were collected.

Another limitation is related to the use of heuristics for detecting malicious PoCs. Experts explained that the approach can miss some malicious PoCs in their dataset.

“However, this approach cannot detect every malicious PoC based on source code, since it is always possible to find more creative ways to obfuscate it. We have investigated code similarity as a feature to help identifying new malicious repositories. Our results show that indeed malicious repositories are on average more similar to each other than non-malicious one.” conclude the experts. “This result is the first step to develop more robust detection techniques.”

The researchers have shared their findings with GitHub and some of the malicious repositories have yet to be removed.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malicious GitHub)

[adrotate banner=”5″]

[adrotate banner=”13″]