News and Notes from the Makers of Nexus | Sonatype Blog

Gitpaste-12: A dozen exploits that silently lived on GitHub, attacked Linux servers

Written by Ax Sharma | November 08, 2020

Just months after Octopus Scanner was caught infecting 26 open source projects on GitHub, new reports have already surfaced of another, new sophisticated malware infection. Gitpaste-12, a worming botnet, is extremely versatile in its advanced capabilities and the fact it leverages trustworthy sites like GitHub and Pastebin to host itself.

The name Gitpaste-12 stems from the 12 known vulnerability exploits within the worm, much like a "swiss-army knife." Two of these exploits target 2 popular open source components, Apache Struts and mongoDB.

Remained undetected on GitHub for over three months

By hosting its malicious payload on sites like GitHub and Pastebin, the Command and Control (C2) infrastructure now becomes incredibly hard to block using simple IOC-blocks at enterprises, because there are legitimate use-cases of these websites.

In fact, Gitpaste-12 has been silently sitting on GitHub since July 2020.

It wasn't until Juniper Threat Labs spotted the botnet on October 15th, and had GitHub shut it down roughly two weeks later.

"The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinux, apparmor, as well as common attack prevention and monitoring software," said Juniper Threat Labs researchers Alex Burt and Trevor Pott.

The worm provides attackers reverse shells. The researchers observed some infected systems using TCP ports 30004 and 30005 open to listen for shell commands.

Furthermore, Gitpaste-12 is loaded with a Monero cryptocurrency miner with additional code to hide it from process monitors, a Telnet-based script to breach Linux servers, and IoT devices via brute force, a cronjob that paves way for the worm to gain persistence, and so on.

"The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try all addresses within that range," stated Juniper's researchers.

Gitpaste-12 expected to evolve and return, reveals test code

The worming botnet is indeed multifaceted in what all it can do and how skilled it is at evading detection.

But what makes Gitpaste-12 particularly dangerous is that it’s taking advantage of the community trust.

In our recent state of the software supply chain report, we documented a 430% increase in malicious code injection within OSS projects - or next-gen software supply chain attacks, but this is only the second time we've seen this form of attack.

Juniper researchers clearly state although the malware may presently be targeting Linux servers and IoTs, "There is evidence of test code for possible future modules, indicating ongoing development for this malware."

This attack infects developer tools that subsequently infect all of the projects they are working on to spread the vulnerabilities. It's been open season on open source for a number of years, developers are on the front lines, and a new attack vector is rearing its head on the battlefield.

We can't be too certain what next version of an already advanced malware like Gitpaste-12 may look like. Based on what we have seen though, the malware's exploitation of an otherwise trustworthy open source ecosystem combined with its skillfully evasive nature, and a dozen vulnerability exploits it ships with, Gitpaste-12 speaks to the importance of regularly vetting your software supply chains through automation.

Why you always need to look deeper

The Gitpaste-12 incident further validates the importance of analyzing binaries within your code and not taking the word of the manifest. Gitpaste-12 is effectively introducing counterfeit code that is very difficult to detect without the right form of automated deep binary analysis. Which is why we at Sonatype have focused so prominently on knowing everything that is in the code you're using.

Our CTO Brian Fox explained this well when talking about Octopus Scanner in May 2020. He said, "We were the first to introduce automated component analysis inside artifact repositories, the first to provide automated component intelligence to developers inside their IDE, and the first to offer automated perimeter security for OSS downloads. We're also the only SCA provider on the market to offer Advanced Binary Fingerprinting (ABF) that includes a lesser known capability that we refer to as 'partial matching.' Partial matching enables users of our Sonatype Platform to see when any aspect of a component has been changed. A component may go by the same name and version number according to an analysis of the package manifest, but the underlying code base could have been changed."

"We often see this form of binary change when crafty developers are trying to workaround their OSS governance policies. Let's say they really like using jquery 3.2 but their OSS policy only allows the use of jquery 3.4 or greater. Why not just change the name of the 3.2 binary to show 3.5 and surreptitiously avoid violating your OSS governance policy? Yes, we've seen developers do this a few times. That substitution might not be so bad as a malware injected binary, but partial matching would catch it nonetheless."

Specifically speaking to Gitpaste-12, Sonatype customers need not be concerned about the two open source exploits within it. If you happen to use abnormal or potentially malicious components, our continuous analysis of binaries will flag it as a partial match and alert your developers and security team of the issue. As usual, you will be guided to alternative safer versions of that component available for use.

Indicators of Compromise (IOCs)

Gitpaste-12 IOCs as shared by Juniper Threat Labs are given below.

Hashes:

Monero Miner

e67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9

hide.so

ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b

Miner config

bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1

Shell script

5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3