The Forensic Trail On GitHub: Hunting For Supply Chain Activity

Embed

Start on current slide

Slide 1

Slide 1 text

#BHEU @BlackHatEvents The Forensic Trail On GitHub: Hunting For Supply Chain Activity Threat Hunting & Incident Response

Slide 2

Slide 2 text

GitHub is fundamental infrastructure and a medium through which attackers traverse. But threat intelligence analysis of GitHub data (pivoting) remains overlooked and understudied.

Slide 3

Slide 3 text

Bug bounty is a proxy for “malicious” activity

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Your Guides on the Trail Rami McCarthy Cloud Risk Research Lead, Wiz Amitai Cohen Tactical Threat Intel Lead, Wiz “Gentleman, scholar, and cloud agitator” - Clint Gibler Pivot Cartographer & Crier at Clouds

Slide 8

Slide 8 text

1. Recent Attacks 2. Platform & Protocol 3. Methodology 4. Challenges Agenda

Slide 9

Slide 9 text

GitHub in the Crosshairs > A Recent History of Escalating Attacks

Slide 10

Slide 10 text

December 9, 2024 March 17, 2025 March 15, 2025 August 27, 2025 September 16, 2025 November 24, 2025

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Update on Attacks by Threat Group APT-C-60, JP- CERT GitHub for payload retrieval

Slide 13

Slide 13 text

DPRK recruiters and candidates might be fake, but their abuse of GitHub is real.

Slide 14

Slide 14 text

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery, NVISO Labs DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains, Google Threat Intelligence Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks, Socket

Slide 15

Slide 15 text

Malware leveraging public infrastructure like GitHub on the rise, Reversing Labs GitHub for Command & Control (C2)

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Git & GitHub > Ecosystem 101 for defenders

Slide 18

Slide 18 text

● Repositories ● Commits ● Branches xkcd.com/1597 Gists Pull Requests Git Forks

Slide 19

Slide 19 text

GitHub is tightly entwined with Git Gists Pull Requests Git Forks

Slide 20

Slide 20 text

● Forks are independent copies of repositories ● All part of a “repository network” ○ Corollary: deleting a fork is just deleting a pointer https://github.com/github/dmca/commit/565e… Gists Pull Requests Git Forks

Slide 21

Slide 21 text

● Pull Requests are a special type of branch ● Commits in a pull request are available in a repository even before the pull request is merged Gists Pull Requests Git Forks git checkout pr/999

Slide 22

Slide 22 text

● Gists are “a simple way to share code snippets, notes, and other small pieces of information” ● A special, lightweight type of repository Gists Pull Requests Git Forks

Slide 23

Slide 23 text

Investigation Methodology > Users

Slide 24

Slide 24 text

Pivoting is about using information we already have in order to discover new information

Slide 25

Slide 25 text

Signs of Malice Timezone Estimation Events API Scraping Emails Search Keys Public Profile Investigating Users Reverse image search Cross-site username reuse Affiliation Network

Slide 26

Slide 26 text

Signs of Malice Timezone Estimation Events API Scraping Emails Keys Search Public Profile Investigating Users Search Keys

Slide 27

Slide 27 text

Investigating Users Signs of Malice Timezone Estimation Events API Scraping Emails Public Profile Search Keys

Slide 28

Slide 28 text

Signs of Malice Timezone Estimation Events API Scraping Emails Search Keys Public Profile Investigating Users

Slide 29

Slide 29 text

Events API Signs of Malice Timezone Estimation Scraping Emails Search Keys Public Profile Investigating Users

Slide 30

Slide 30 text

Events API Signs of Malice Timezone Estimation Scraping Emails Search Keys Public Profile Investigating Users

Slide 31

Slide 31 text

Signs of Malice Timezone Estimation Events API Scraping Emails Search Keys Public Profile Investigating Users Better Analyzing Foreign Adversary Threats to Open-Source Software, Margin Research

Slide 32

Slide 32 text

• Backdated repositories / commits • Cloned commit messages • DMCA takedowns in network • Disposable and rotated identities in commit emails • Suspicious contributor networks • Issue spamming & star boosting Signs of Malice Timezone Estimation Events API Scraping Emails Search Keys Public Profile Investigating Users Tools: ghbuster, gh-fake-analyzer

Slide 33

Slide 33 text

Check this out at Pivot Atlas: gopivot.ing

Slide 34

Slide 34 text

Investigation Methodology > Attacks

Slide 35

Slide 35 text

● Payload development evident in git log Investigating Attacks Absence as Evidence Exfiltration Exploitation

Slide 36

Slide 36 text

● Researcher payloads Investigating Attacks Absence as Evidence Exfiltration Exploitation

Slide 37

Slide 37 text

● Usage of open source tools Investigating Attacks Absence as Evidence Exfiltration Exploitation

Slide 38

Slide 38 text

● Usage of open source tools Investigating Attacks Absence as Evidence Exfiltration Exploitation

Slide 39

Slide 39 text

● Public tools disclose impact Investigating Attacks Absence as Evidence Exfiltration Exploitation

Slide 40

Slide 40 text

● Disruption Investigating Attacks Absence as Evidence Exfiltration Exploitation

Slide 41

Slide 41 text

● Public exfiltration makes a mess Investigating Attacks Absence as Evidence Exfiltration Exploitation

Slide 42

Slide 42 text

● Certain patterns have that bug bounty “smell” Investigating Attacks Absence as Evidence Exfiltration Exploitation

Slide 43

Slide 43 text

Recovering deleted PRs

Slide 44

Slide 44 text

Recovering deleted commits via cross-fork references

Slide 45

Slide 45 text

Recovering deleted gists

Slide 46

Slide 46 text

Recovering changes

Slide 47

Slide 47 text

Investigating Attacks Absence as Evidence Exfiltration Payloads Absence as evidence ● Deleted users ● Deleted forks ● Missing workflow runs and GitHub Action logs

Slide 48

Slide 48 text

Evidence of absence

Slide 49

Slide 49 text

Technical Difficulties

Slide 50

Slide 50 text

Technical Difficulties 1. Not all events are logged publicly

Slide 51

Slide 51 text

2. Third parties that index data have gaps Technical Difficulties

Slide 52

Slide 52 text

3. Not all user profiles are public Technical Difficulties

Slide 53

Slide 53 text

4. GitHub code search only indexes the default branch Technical Difficulties

Slide 54

Slide 54 text

5. Evidence is often deleted by attackers Technical Difficulties S1ngularity - What Happened, How We Responded, What We Learned

Slide 55

Slide 55 text

6. Evidence is often deleted by defenders Technical Difficulties

Slide 56

Slide 56 text

Takeaways

Slide 57

Slide 57 text

Takeaways • Threat activity involving GitHub is picking up • GitHub is a critical source of threat intelligence • And it’s insufficiently leveraged by defenders • But if attackers can do it, so can you!