Ask HN: Remote repos being used for C2 botnet, or VMS scan?

Y	Hacker News new \| ask \| show \| jobs

2 points by paddlepop 2491 days ago

Observation: A number of external repos are having malicious looking repositories being created with the pattern ";[6 alphanum]<ScRiPt>[4 alphanum]([4 num])</;[6 alphanum]". For example ";0MhPC1<ScRiPt>r7kK(9626)</;CD4u6"

All appear to be running JFrog Artifactory

The remote repos we have identified are: http://repo.gradle.org/gradle/repo/ https://repo.datastax.com/dse/ https://maven.openflexo.org/artifactory/openflexo-deps/ https://qasymphony.jfrog.io/qasymphony/repo/

Possible Scenarios:

1 - Someone is running some kind of daily vulnerability scan against these repos. This is inadvertently testing the create repo name field for XSS which is then submitted, creating the repo.

2 - Repos are being created for use as a botnet communication channel - pretty clever in my opinion to use remote repos as a means to bypass internal network restriction.

Any owners able to tell if the creator is distributed?

1 comments

Jlleitschuh 2490 days ago

As a company working for one of the companies impacted by this weirdness we are just as concerned about the potential implications here as you are. We have followed up with JFrog about this and are waiting for a response from them about this.

I'm glad others are seeing these weird things too and it's giving them pause as well.

link