Git Code Repos Held to Ransom – Thousands Hacked
Many private Git repositories are at risk of being leaked to the public. Anonymous hackers have wiped victims’ code and are demanding Bitcoin.
Or else? Or else they’ll open-source it for you. And then everyone will be able to see your soopah-sekrit sores, bruh.
But how? The way they broke in is making many scratch their head: It seems people had been publishing their GitHub, GitLab or BitBucket credentials on the web.
FAIL! You could say that. In today’s SB Blogwatch, we furiously facepalm.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 40 years of Atari 800.
Git Hit
What’s the craic? Lorenzo Franceschi-Bicchierai reports, “Someone Is Hacking GitHub Repositories”:
Hackers are breaking into private code repositories, wiping them, and asking their owners for a ransom. … The hackers are breaking into code repositories hosted on GitHub, one of the world’s largest software development platforms, and BitBucket, a similar service owned by Atlassian.
…
Jeremy Galloway, a security researcher at Atlassian [said] the company has seen a lot of users’ repositories getting hit by these hackers. Galloway said he estimates the victims to be at least 1,000, based on internal numbers and online reports.
What’s the threat? João Carrasqueira clarifies—“hacker demanding a ransom in bitcoin”:
A hacker is attacking repositories by wiping all of their content and replacing the files with a [ransom note]. The ransom value is 0.1 Bitcoin, which is around $567.
…
The note further claims that the payment must be made within the next ten days, otherwise the code will be made available to the public or be “used otherwise.” On GitHub alone, searching for the bitcoin address provided for the ransom payment reveals that at least 392 repositories have had their content replaced with the threatening note.
GitLab, too. So says Gareth Corfield—“Mystery Git ransomware appears to blank commits”:
The repos affected are hosted across a number of platforms, from GitHub and GitLab to Bitbucket, so it’s likely the malware is targeting inadvertently poorly secured repositories rather than a particular vulnerability.
Oh noes. Heed youxufkhan’s sad, sad story:
So I was done fixing a bug tonight. … When i opened up that repository tab which I was working on it showed an error that git index file is corrupt so … I first deleted the index and I then hit ‘git reset’. After which I found I was over 3200 commits behind.
…
I stopped and reviewed recent commits and to my surprise I found a commit with ‘WARNING’ message which only had one file in it. … All the remote branches were gone.
…
File content: To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhL####### and contact us by Email at [email protected] with your Git login and a Proof of Payment. … If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.
But how? GitLab’s Kathy Wang reports one “result of our investigation”:
We have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository. We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible, both of which would have prevented this issue.
O RLY? Stefan Gabos has another theory (or four):
My password was a weak one that could’ve been relatively easily cracked via brute-force. … It is also possible that my email address and that particular password are on a list of leaked accounts.
…
Could’ve also been [my] old access token, I can’t remember what and where I used it for in the past – most likely generated for use on a computer I previously owned. … There are also 4 developers working on it, all having full access to the repository, so their accounts being compromised is also a possibility.
…
Just in case the code gets published somewhere, I will change any passwords that are to be found in the source (databases, IMAP accounts).
And Daniel Ruf has one more:
Theoretically this could have also been the result of harvesting private keys and credentials using Node.js packages which have access to the whole system as some packages did this in the past. Interested to see the timeline of the incident and the initial cause.
So Troy Mursch—@bad_packets—slaps his forehead:
Dang, I thought all those “/.git/config” scans we detected were harmless. Guess we know what the goal was now.
What are the victims going to do when their code leaks publicly? dajames has dabottomline: [You’re fired—Ed.]
If your business model depends on your source code being secret you should probably think twice before using a third-party repository.
Plus the traditional ransomware angle. MachineShedFred obliges us:
Cloud or not, if you’re working without a backup, you’re a ******* idiot.
And whitepines agrees, adding:
In all seriousness, the largest threat I see here is lost chain of trust / integrity. The codebase would need a thorough external audit after being “recovered” by paying the hackers, and I guarantee next to no one would pay for that, especially not the small time commercial developers likely to be hit by this with no offline backups in the first place.
Meanwhile, ShanghaiBill sighs wistfully:
I worked for a company that debated going open source. Several people strong objected to “giving away the crown jewels”. But we decided to open it up, and release the code.
A year later, we checked the server logs, and found it had been downloaded this many times: 0.
And Finally:
Fascinating talk from Joe Decuir, co-designer of the Atari VCS, Atari 800 and Commodore Amiga 1000
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Pingback: Breach Incidents on Record Pace for 2019 - Security Boulevard