Hackers Are Now Using Your Favorite Apps Against You

A new report from Cisco’s Talos intelligence group details a significant shift in the cybercriminal playbook, where attackers are now systematically co-opting legitimate automation and CI/CD platforms as their primary attack infrastructure. Internal documents show that over the last quarter, Talos analysts have tracked a 300% increase in campaigns leveraging tools like Jenkins, GitHub Actions, and CircleCI to host malware payloads and command-and-control servers. This method, termed "infrastructure-as-a-service" by the criminals themselves, provides them with the credibility of a major tech domain and the ability to rapidly spin up and tear down malicious operations, often staying ahead of traditional blocklists.

The technical brief, first highlighted by @TheHackersNews, explains that attackers are compromising developer accounts or simply signing up for free tiers on these services. They then configure automated jobs or repositories that deliver malware directly to victims, using the platform’s own compute resources and domain names. This bypasses the need for the attackers to register their own suspicious domains or maintain expensive, fragile botnets. For enterprise security teams, the threat is insidious: network traffic to a known, trusted domain like `githubusercontent.com` or a major CI/CD provider is rarely scrutinized or blocked, allowing malicious payloads to sail through perimeter defenses.

Engineers close to the project say the defensive rollout from platform providers has been anything but smooth. While GitHub, GitLab, and others have automated systems to detect and suspend abusive accounts, the attackers are using stolen credentials and disposable payment methods to maintain a persistent presence. The economic asymmetry is stark; it costs a platform provider significant resources to investigate and terminate a single malicious account, while an attacker can create a new one in minutes. This places a heavier burden on internal security teams to monitor outbound calls from their own automation tools, looking for anomalous job executions or data exfiltration attempts that might indicate a compromised pipeline.

What happens next hinges on a difficult collaboration between the automation platforms and their enterprise customers. The platforms are expected to roll out more stringent identity verification for accounts that trigger automated builds, alongside enhanced anomaly detection within job logs. However, a source within Talos indicated that sophisticated actors are already adapting, using compromised enterprise accounts with pre-existing credibility. The uncertainty lies in whether these platforms can impose stricter controls without hampering the developer experience that made them ubiquitous. For now, the advisory mandates a zero-trust approach to all automation, treating even traffic from within these trusted ecosystems as potentially hostile until proven otherwise.

Source: https://x.com/TheHackersNews/status/2044463508570636334