Hackers have the option to use GitHub Codespaces for hosting and delivering malware

Researchers discovered that threat actors could use GitHub Codespaces’ port forwarding feature to distribute malicious scripts and malware.

GitHub Codespaces allows developers the ability to host cloud-hosted IDE platforms within virtualized containers. This allows them to create, edit and run code right from a browser.

It became available widely in November 2022. GitHub Codespaces is a favorite choice for developers because of its container-based, preconfigured environment that includes all necessary dependencies for your projects.

Use GitHub Codespaces to host your malware servers

Trend Micro researchers have released a report that shows how GitHub Codespaces could be easily configured as a webserver for malicious content distribution. However, it is possible to avoid detection if the traffic originates from Microsoft.

GitHub Codespaces lets developers forward TCP ports for the public to external users so they can view or test the apps.

The GitHub feature generates a URL that allows you to reach the codespace VM port forwarding. This URL can either be private or public.

To access a private port forward, you will need to authenticate using tokens or cookies. A public port can be accessed by anyone with the URL, but authentication is not required.

Port visibility setting on Codespaces

Source: Trend Micro

Trend Micro claims that this GitHub feature allows developers to demonstrate code, but attackers can still easily misuse it to upload malware.

An attacker could theoretically run a Python web server and upload malware or scripts to their Codespace.

You can use the generated URL to gain access to hosted files for either phishing or hosting malicious executables that have been downloaded from other malware.

These are the exact ways that threat actors use other trusted services like Google Cloud, Amazon AWS and Microsoft Azure to spread malware.

The states that “To confirm our hypothesis about threat modeling abuse scenario,” they ran a Python-based HTTP Server on port 8080. They forwarded the port and exposed it publicly.

“In the course of the process we easily discovered the URL and the lack of cookies to authenticate.”

Analysts state that although HTTP is the default protocol in Codespaces’ port-forwarding system (port forwarding), developers have the option to set it up as HTTPS. This will increase the security illusion for URLs.

Because GitHub can be trusted, anti-virus tools will not raise alarms. This allows threat actors to evade detection with minimal effort.

Codespaces abuse attack diagram

(Trend Micro)

Furthering the attack

Trend Micro Analysts also explored the possibility of using within GitHub Codespaces in order to improve their malware distribution operation.

A “dev container”, as it is called in GitHub Codespaces, is a container with all necessary tools and dependencies for a particular project. It can be used by developers to quickly deploy, share with others or connect through VCS.

A script can be used by an attacker to send a port forward, execute a Python HTTP Server, and then download malware files from their Codespace.

The port visibility setting is then set to public. This creates a webserver that hosts malicious files and serves them to their targets.

Trend Micro has created a Proof of Concept (PoC), which uses a 100 second delay following the URL being accessed, before the web server’s deletion.

BleepingComputer managed to recreate the “malicious webserver” using Codespaces within a matter of minutes and with no prior experience.

Running a web server on a GitHub Codespaces VM

Source: BleepingComputer

Attackers can use such scripts to quickly serve malicious content in GitHub Codespaces by exposing ports publically on their codespace environments. Trend Micro explains that each Codespace is uniquely identified, so the associated subdomains are also unique.”

This gives attackers enough room to create other instances of open directories.

GitHub policy states that codespaces which are inactive after will be automatically deleted. This means attackers could use the URL for a whole month.

Although there has been no abuse of GitHub Codespaces, this report does highlight a real possibility. Threat actors prefer to attack “free-to-use” platforms that can be trusted by security tools.

BleepingComputer reached out to GitHub for comment regarding Trend Micro’s Report, but is still waiting on a reply.