Security Experts | Informationsecuritybuzz.com
New findings were published today on the “Gitpaste-12” worm, which uses GitHub and Pastebin to store component code and has at least 12 different attack modules available to exploit a range of vulns. It relies on GitHub and Pastebin to download payloads, two sites that aren’t usually blocked and their connection is encrypted, making it more difficult for traditional security measures to block this attack. Current targets are Linux based x86 servers, and Linux ARM and MIPS based IoT devices.
EXPERTS COMMENTS
| November 06, 2020
Saryu Nayyar, CEO, Gurucul
The Gitpaste worm identified by Juniper Labs is interesting both in how it’s deployed and it’s targeting of Linux and IoT devices.
The Gitpaste worm identified by Juniper Labs is interesting both in how it’s deployed and it’s targeting of Linux and IoT devices. By using Pastebin and GitHub, two services that many organizations allow access to, the attackers are trying to slip through firewall and proxy rules that might otherwise stop them. However, there are multiple tools, including behavioral analytics, that can identify and block these connections, dramatically reducing the threat from this attack vector.
| November 06, 2020
Chloé Messdaghi, VP of Strategy, Point3 Security
Device and server misconfiguration issues like this can lead to automated worms infecting a large number of systems very quickly.
It’s called Gitpaste-12 because of the usage of GitHub, Pastebin and 12 known attack modules and possibly more under development. It’s a worm that attempts to use known exploits to compromise systems and may also attempt to brute force passwords.
Because some compromised systems have specific ports open, it spreads fast as you do not need to be an authorized user to send commands, and it can then spread to other devices on the same network or across the internet as well. Device and server misconfiguration issues like this can lead to automated worms infecting a large number of systems very quickly.
| November 06, 2020
Ax Sharma, Security Researcher, Ax Sharma
Sophisticated malware and cryptominer with a low or zero detection rate
As I reported on BleepingComputer, at the time of writing multiple files associated with Gitpaste-12 have a very low or zero detection rate. There’s an indication that the next iteration of Gitpaste-12 may resurface, and that speaks to how attackers are exploiting the trust within open-source ecosystems like GitHub and legitimate sites Pastebin. These sites are hard to block via enterprise perimeter security products given their very many business use-cases.
Gitpaste-12 does a lot of things. Like a “swiss knife” it comes loaded with exploits for 12 known vulnerability, mines Monero (XMR) cryptocurrency, targets Linux servers and IoTs, evades detection, spreads itself, and is expected to be seen again, as Juniper’s researchers concluded.
External Link: New Gitpaste-12 Worming Botnet Spreads via GitHub And Pastebin – Experts Perspectives