[BreachExchange] A hacker is wiping Git repositories and asking for a ransom

[Destry Winant]

https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/

Hundreds of developers have had had Git source code repositories wiped
and replaced with a ransom demand.

The attacks started earlier today, appear to be coordinated across Git
hosting services (GitHub, Bitbucket, GitLab), and it is still unclear
how they are happening.

What it is known is that the hacker removes all source code and recent
commits from vitcims' Git repositories, and leaves a ransom note
behind that asks for a payment of 0.1 Bitcoin (~$570).

The hacker claims all source code has been downloaded and stored on
one of their servers, and gives the victim ten days to pay the ransom;
otherwise, they'll make the code public.

To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin
(BTC) to our Bitcoin address ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and
contact us by Email at admin at gitsbackup.com with your Git login and a
Proof of Payment. If you are unsure if we have your data, contact us
and we will send you a proof. Your code is downloaded and backed up on
our servers. If we dont receive your payment in the next 10 Days, we
will make your code public or use them otherwise.

Payment is requested at the ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA Bitcoin
address, which, at the time of writing, has not received any funds.

HUNDREDS OF VICTIMS AND COUNTING

A GitHub search reveals that at least 392 GitHub repositories have
been ransomed, so far.

According to BitcoinAbuse.com, a website that tracks Bitcoin addresses
used for suspicious activity, there have been 27 abuse reports for
this address today, when it was first indexed in the site's database.
All abuse reports include the same ransom note, suggesting the Bitcoin
address is being used in a coordinated attack aimed at Git accounts.

Some users who fell victim to this hacker have admitted to using weak
passwords for their GitHub, GitLab, and Bitbucket accounts, and
forgetting to remove access tokens for old apps they haven't used for
months --both of which are very common ways in which online accounts
usually get compromised.

However, all evidence suggests that the hacker has scanned the entire
internet for Git config files, extracted credentials, and then used
these logins to access and ransom accounts at Git hosting services.

In an email to ZDNet, Kathy Wang, Director of Security for GitLab,
admitted that this was the root cause of an account compromise a user
reported on StackExchange earlier today.

We identified the source based on a support ticket filed by Stefan
Gabos yesterday, and immediately began investigating the issue. We
have identified affected user accounts and all of those users have
been notified. As a result of our investigation, we have strong
evidence that the compromised accounts  have account passwords being
stored in plaintext on a deployment of a related repository. We
strongly encourage the use of password management tools to store
passwords in a more secure manner, and enabling two-factor
authentication wherever possible, both of which would have prevented
this issue

Atlassian, the company who owns Bitbucket, didn't respond to a request
for comment, but they started notifying customers to whose accounts it
believed hackers had gained illegal access, and also began sending
security alerts to accounts where login attempts had failed.

A WAY TO RECOVER

The good news is that after digging through a victim's case, members
of the StackExchange Security forum have found that the hacker does
not actually delete, but merele alters Git commit headers, meaning
code commits can be recovered, in some cases.

Instructions on how to recover mangled Git repositories are available
on this page.

On Twitter, several important figures in the developer community are
currently urging victims to contact the support teams at GitHub,
GitLab, or Bitbucket before paying any ransom demand, as there could
be other ways to recover deleted repos.

Private Git repositories were most likely compromised as well, which
will no doubt trigger lengthy investigations at companies who might
have had their proprietary code potentially siphoned off to a remote
server.