[ad_1]
Hundreds of developers have had Git source code repositories removed and replaced with a ransom request.
The attacks that started earlier in the day seem to be coordinated between the Git hosting services (GitHub, Bitbucket, GitLab) and the way they unfold remains unclear.
What we do know is that the hacker removes all the source code and recent commits Git repositories of vitcims, and leaves a ransom note that requires a payment of 0.1 Bitcoin (about $ 570).
The hacker claims that all the source code has been downloaded and stored on one of its servers and gives the victim ten days to pay the ransom. otherwise, they will make the code public.
To recover your lost code and avoid any leaks: send us 0.1 Bitcoin (BTC) to our Bitcoin address ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by email at [email protected] with your Git ID and proof of payment. If you do not know if we have your data, contact us and we will send you a proof. Your code is downloaded and saved on our servers. If we do not receive your payment within the next 10 days, we will return your code or otherwise use it.
Payment is requested at the address Bitcoin ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA, which, at the time of writing this report, has received no funds.
Hundreds of victims and count
A search on GitHub reveals that at least 392 GitHub deposits have been redeemed until now.
According to BitcoinAbuse.com, a website that lists Bitcoin addresses used for suspicious activity, there have been 27 reports of abuse for this address today, when it was indexed for the first time. times in the site database. All reports of abuse include the same ransom note, suggesting that the Bitcoin address is used in a coordinated attack targeting Git accounts.
Some victim users of this hacker admitted to using weak passwords for their GitHub, GitLab and Bitbucket accounts, forgetting to remove the access tokens from old apps that they did not have. used for months – two very common methods in which online accounts are generally compromised.
However, all the evidence suggests that the hacker scanned the entire Internet to look for Git configuration files, retrieve identity information, and then use those connections to access accounts and redeem them for hosting services. Git.
Dang, I thought all the "/.git/config" scans we detected were harmless. I guess we know what the goal was now.
– Reporting bad packs (@bad_packets) May 3, 2019
In an email to ZDNetKathy Wang, director of security for GitLab, acknowledged that this was the root cause of the compromise of an account that a user had posted on StackExchange earlier in the day.
We identified the source on the basis of a support ticket filed by Stefan Gabos yesterday, and immediately began to investigate the matter. We have identified the relevant user accounts and all these users have been notified. As a result of our investigation, we have strong evidence that compromised account account passwords are stored in plain text on an associated repository deployment. We strongly encourage the use of password management tools to store passwords more securely and allow for two-factor authentication wherever possible, which would have allowed us to: avoid this problem.
Atlassian, the proprietary company of Bitbucket, has not responded to a request for comment, but has begun to warn customers of accounts whose hackers would have obtained illegal access, and has also begun sending security alerts accounts for which login attempts have been made. had failed.
A way to recover
The good news is that after investigating the case of a victim, members of the StackExchange security forum found that the hacker does not actually delete, but that Merele modifies the Git validation headers, which means that code validations can be retrieved, in some cases.
Instructions on how to recover mutilated Git repositories are available on this page.
On Twitter, several VIPs in the developer community are now asking victims to contact the GitHub, GitLab or Bitbucket support teams before paying any ransom demand, as there may be other ways to recover the deleted pensions. .
If this has happened to you, * PLEASE *, contact Git[hub, lab]/ Bitbucket before considering paying the ransom.
The advantage of version control is that there is a good chance that their support can solve this problem. https://t.co/CdCxPzsgdK
– Jessica Rose (@jesslynnrose) May 3, 2019
Private Git repositories have probably also been compromised, which will undoubtedly trigger lengthy surveys of companies whose proprietary code could have been siphoned off on a remote server.
Associated Malware and Cybercrime Coverage:
[ad_2]
Source link