New findings were published today on the “Gitpaste-12” worm, which uses GitHub and Pastebin to store component code and has at least 12 different attack modules available to exploit a range of vulns. It relies on GitHub and Pastebin to download payloads, two sites that aren’t usually blocked and their connection is encrypted, making it more difficult for traditional security measures to block this attack. Current targets are Linux based x86 servers, and Linux ARM and MIPS based IoT devices.
Juniper Threat Labs: Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin – Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin
These types of infections are extremely hard to block via enterprise security products. Enterprise development and security teams can’t just block GitHub and Pastebin, because they are tied to legitimate innovation pipelines. By taking advantage of these stalwart entities, Gitpaste-12 is exploiting the trust of open source software repositories and making detection and IOC-based blocks difficult.
Gitpaste-12 had been living quietly on GitHub since July 2020, until it was taken down last month.
What makes Gitpaste-12 so dangerous is that it’s taking advantage of the community trust. In our recent State of the Software Supply Chain report, we documented a 430% increase in malicious code injection within OSS projects – or next-gen software supply chain attacks. Gitpaste-12 represents the most advanced form of these next-generation attacks by preying upon tools developers use to create their code rather than targeting code itself. Attacks infecting developer tools subsequently infect all of the projects developers are working on – not just a single package of code. It’s been open season on open source for a number of years, developers are on the front lines, and a new attack vector is rearing its head on the battlefield.
The Gitpaste-12 incident further validates the importance of analysing binaries within your code and not taking the word of the manifest. Gitpaste-12 is effectively introducing counterfeit code that is very difficult to detect without the right form of automated deep binary analysis. This same attack vector was used with Octopus Scanner in May 2020, where look-alike code packages with malicious code were created unbeknownst to developers using the infected tools.
I’ve always described this in terms of a tainted food project. If you inspect a salad recipe, you’ll find all of the common ingredient names (aka the manifest), but quality is not an attribute of the ingredient list. For example, “tainted lettuce” won’t be listed as an ingredient of the salad, but that doesn’t mean you won’t end up with E. coli when using it. In this case, adversaries are not focused on the ingredients, they are using infected chefs’ tools to spread the contamination.
As I reported on BleepingComputer, at the time of writing multiple files associated with Gitpaste-12 have a very low or zero detection rate. There\’s an indication that the next iteration of Gitpaste-12 may resurface, and that speaks to how attackers are exploiting the trust within open-source ecosystems like GitHub and legitimate sites Pastebin. These sites are hard to block via enterprise perimeter security products given their very many business use-cases.
Gitpaste-12 does a lot of things. Like a \”swiss knife\” it comes loaded with exploits for 12 known vulnerability, mines Monero (XMR) cryptocurrency, targets Linux servers and IoTs, evades detection, spreads itself, and is expected to be seen again, as Juniper\’s researchers concluded.
It\’s called Gitpaste-12 because of the usage of GitHub, Pastebin and 12 known attack modules and possibly more under development. It\’s a worm that attempts to use known exploits to compromise systems and may also attempt to brute force passwords.
Because some compromised systems have specific ports open, it spreads fast as you do not need to be an authorized user to send commands, and it can then spread to other devices on the same network or across the internet as well. Device and server misconfiguration issues like this can lead to automated worms infecting a large number of systems very quickly.
The Gitpaste worm identified by Juniper Labs is interesting both in how it\’s deployed and it\’s targeting of Linux and IoT devices. By using Pastebin and GitHub, two services that many organizations allow access to, the attackers are trying to slip through firewall and proxy rules that might otherwise stop them. However, there are multiple tools, including behavioral analytics, that can identify and block these connections, dramatically reducing the threat from this attack vector.