At a glance.
- Codespaces accounts can act as malware servers.
- Blank-image attacks.
- Campaigns leveraging HR policy themes.
- Travel-themed phishing increases.
- An overview of 2H 2022 ICS vulnerabilities.
- Ukraine warns that Russian cyberattacks continue.
Codespaces accounts can act as malware servers.
Researchers at Trend Micro have found that GitHub Codespaces, a cloud-based IDE that was released in November 2022, can be abused to create a trusted malware file server. The issue lies in Codespaces' ability to share forwarded ports publicly, which allows developers to preview their projects as an end user:
“We investigated the services offered by this cloud IDE and found that one of its features for code development and collaboration – sharing forwarded ports publicly – can be abused by malicious actors to create a malware file server using a legitimate GitHub account. In the process, these abused environments will not be flagged as malicious or suspicious even as it serves malicious content (such as scripts, malware, and ransomware, among others), and organizations may consider these events as benign or false positives.”
The researchers explain that “attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments.” Trend Micro also notes that they haven’t seen this technique used in the wild. For more on Codespaces abuse, see CyberWire Pro.