- GitHub, Bitbucket, and GitLab speak on recent attacks on user repositories.
- Hacker has yet to fill crypto wallet with demanded random payments.
GitHub is a platform for open-source codes that many developers use to test out protocols and adapt to their own uses. However, one hacker has decided to start breaking into various accounts on the platform. Rather than using the codes, the hacker is going through these accounts and deleting the code repositories. In order to give back the information, the hacker keeps demanding a ransom in return.
ZDNet first discovered the attack, while has reached just under 400 repositories, leaving behind the following ransom note:
“To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at [email protected] with your Git login and a Proof of Payment.”
Even though there is been 392 repositories affected, the attack only started yesterday, also attacking Bitbucket and GitLab accounts. According to one victim, the hacker managed to reach into their account by just guessing the password that they protected their content with. The victim admitted that the password was “weak” and that “brute force” would have been enough to crack it, as he wrote on Stack Exchange.
An Atlassian security researcher, who also owns Bitbucket, stated that there’s a possibility of up to 1,000 users that have been impacted by these attacks. Issuing a security advisory to users, Bitbucket stated that the hacker submitted the correct usernames and corresponding passwords to legitimately sign in. However, the platform theorizes that the information was leaked, considering how many other platforms have been impacted as well. At this point, Bitbucket confirmed that they have not found “any other compromise” of the platform.
The security director of GitLab, Kathy Wang, spoke with PCMag about the matter, saying that they have discovered “strong evidence” that all of these passwords have been recorded in “plaintext on a deployment of a related repository.” Wang added that users should consider storing their passwords “in a more secure manner.” In an email, Wang noted that the issues are still being evaluated, but the platform:
“found evidence the ‘update' scripts in some of the affected repositories hard-coded credentials in an insecure location in the deployed application.”
The ransom note says that the victim only has 10 days to come up with the 0.1 BTC, presently worth about $566, or the stolen cold will be publicized. There is also a chance that the hacker will keep the coding for their own purposes. However, the Bitcoin address presently has no funds.
Though there are some major threats included here, it does not look like the hacker has done what they claim at all, or at least that no victims have paid up. One victim said that they access “a commit’s hash” to retrieve their code. In an article with PCMag, the following link is provided to explain that process: https://security.stackexchange.com/questions/209448/gitlab-account-hacked-and-repo-wiped.
In the next 24 hours, Bitbucket users should be see their repositories restored. In the process, user passwords are being automatically reset, and two-factor authentication is being enforced. Users of the GitLab platform should already have access to the platform to recover data.
At this point, GitHub has not released any statement on these hacks.