Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Programming

A Hacker is Wiping Git Repositories and Asking For a Ransom (zdnet.com) 213

An anonymous reader writes: Hundreds of developers have had had Git source code repositories wiped and replaced with a ransom demand. The hacker removes all source code and recent commits from vitcims' Git repositories, and leaves a ransom note behind that asks for a payment of 0.1 Bitcoin (~$570). The hacker claims all source code has been downloaded and stored on one of their servers, and gives the victim ten days to pay the ransom; otherwise, they'll make the code public.

Hundreds of users have had code repositories wiped and replaced with ransom notes. The coordinated attack has hit Git repositories stored across multiple platforms, such as GitHub, GitLab,and Bitbucket. Some users who fell victim to this hacker have admitted to using weak passwords for their GitHub, GitLab, and Bitbucket accounts, and forgetting to remove access tokens for old apps they haven't used for months --both of which are very common ways in which online accounts usually get compromised. Several users also tried to pin the issue on the hacker using an exploit in SourceTree, a Git GUI app for Mac and Windows made by Atlassian; however, there is no evidence to support this theory, for the time being.

This discussion has been archived. No new comments can be posted.

A Hacker is Wiping Git Repositories and Asking For a Ransom

Comments Filter:
  • So... (Score:3, Insightful)

    by Snotnose ( 212196 ) on Friday May 03, 2019 @06:02PM (#58535880)
    Hows that whole cloud thing working out for you? Sux2bu, but not surprised at the results.
    • Re: (Score:3, Insightful)

      by gravewax ( 4772409 )
      People that suck that badly at security are destined for failure whether they are on-prem or in the cloud.
      • by gweihir ( 88907 )

        There is a price to pay for bad security. It is, unfortunately, not evenly distributed or people would probably learn. This way, you either get overlooked or you are hit catastrophically. The first one has not learning value, and the second one "only happens to other people" or "is not something you could have foreseen", so minimal learning value.

    • by Njovich ( 553857 )

      So do you also write your source code repository code? Because there is nothing particular about cloud services in being vulnerable to this, merely using a remotely accessible git server is enough. As far as we know there is no use of vulnerabilities in Github or so.

    • Cloud or not, if you're working without a backup, you're a god damn idiot.

      Oh, and someone could do this with on-prem git too, given public access. This is not necessarily a "cloud" problem.

    • Hows that whole cloud thing working out for you? Sux2bu, but not surprised at the results.

      To be clear your through process is: User too dumb to use strong password / not expose security access tokens online for all to use, apparently has a solid backup and recovery process as part of a well thought out business continuation strategy?

      How well is it working out for them? Well apparently after 10 days they get their source code back, so I would consider this a win for the cloud over the alternatives.

  • by Anonymous Coward on Friday May 03, 2019 @06:04PM (#58535882)

    .. then you aren't using GIT, the /distributed/ source control system correctly.

    • Though the code itself should be safe, it might be really annoying if the "hacker" runs amok in the project and deletes all the metadata (issue tracker, discussions, wiki, etc.) on the hosting site.

      • it might be really annoying if the "hacker" runs amok in the project and deletes all the metadata (issue tracker, discussions, wiki, etc.) on the hosting site.

        If so, then it would indicate you made a mistake by using a hosting site that does not let you archive your project metadata offsite.

    • If I read the summary right the issue isn't that the code is gone, the issue is that the code wasn't public, but it will be if the ransom isn't paid. My read of it was that the deletion was to make the threat credible and hard to ignore. I may have read it incorrectly though.
      • *if* your secret code is so precious that publishing it would damage your company, then you shouldn't be hosting it on somebody else's servers to begin with.

        Hosting *local* copies of GitLab is damn easy.

    • You are assuming every project is in active development. Some projects have valuable code but go into periods of stasis during which GitHub might end up your only copy, unless you've specifically planned for this with backups.

  • by Anonymous Coward

    git isn't my repo - it's a copy of my repo.
    All I have to do is reinstrument the repo and I'm good.
    Isn't that what git is all about...?

    CAP === 'modernly'

    • by mattyj ( 18900 ) on Friday May 03, 2019 @06:29PM (#58535996)

      Read the article again (or for the first time.) The hacker is demanding payment or he will release the code publicly. In no way does the hacker claim he has the only copy of the code, that would be ridiculous.

      • by ceoyoyo ( 59147 )

        Ah cool, so some people with bad passwords storing their super secret code on the Internet might get it leaked. The horror.

      • The hacker is demanding payment or he will release the code publicly.

        So he's a sweetie. Hang him from the yardarm anyway.

      • The hacker is demanding payment or he will release the code publicly.

        Most companies code isn't worth the zeros its comprised of. I wouldn't give this yahoo two cents - he can publish the code but who would even care to look at it?

        You can lead a horse to a sewer but he's not even going to think about drinking.

        If I got that notice my only action would be to refresh any API keys that might be in there (which you'd have to do anyway even if you paid the guy). Cost: $0.00 (USD).

        • by jythie ( 914043 )
          Most company's code is of little value to random people, but it might have considerable utility to direct competitors or other interested parties. I know I've worked places where we spent time reverse engineering stuff, or found out that our stuff had been reverse engineered.
        • > Most companies code isn't worth the zeros its comprised of.

          Some company code has embedded login passwords, database passwords, SSH keys, AWS keys, copyright violations, and outright intellectual property theft.

      • If the code is closed source, and the hacker is saying "pay .1 BTC or I *RELEASE* the code to the public", then he isn't playing a very serious game. He could have stolen the code surreptitiously, and then used it to find vulnerabilities, and then sold those vulnerabilities for WAY more than $570.
        • Re: (Score:3, Insightful)

          by Raidion ( 1568981 )
          Finding security holes takes a very different set of skills then automating API calls to the login, saving all 200 responses, and executing a few calls to get repos, clone them, and upload a ransom note. While I in no way support this guy, you have to admit that this is a pretty low effort scheme that could yield a fairly serious payday, especially for a citizen of a country like Venezuela where BTC = USD = real money where there isn't a lot of it.
      • If a code leak will kill your business, you might be doing it wrong.

        Should we make RSA encryption algorithms proprietary? No, this would hurt security, not help it.

        A company's code is simply an expression of what it needs to run its business. More than likely, leaking the code wouldn't truly hurt the business, unless exposure would show vulnerabilities they don't want others to see.

        Wait, maybe that's the real problem here!

  • ...being in the cloud. Not your cloud. Not your security. Outsourcing your fate. Why, its almost like not yours at all.
    • Re: (Score:3, Insightful)

      by TigerPlish ( 174064 )

      So pointing out the shining flaw of cloud computing is Troll material? Pathetic.

      Yes, ownership matters. Cloud is just a way of shirking responsibility. Someone else's problem. Cloud Thing blew up and your users are screaming? "Bruh, cloud's down, nothing we can do for now"

      Typical. Either a couple of corporate shills modded you down, or dew-eyed misguided idealists did.

      • by ceoyoyo ( 59147 )

        Cloud computing is saying "I can't do this, and I don't want to figure it out, so let someone else handle it for me" for things like security. Problem is, particularly with security, most of the problem is the user anyway.

      • by Jeremi ( 14640 ) on Friday May 03, 2019 @09:05PM (#58536410) Homepage

        Typical. Either a couple of corporate shills modded you down, or dew-eyed misguided idealists did.

        Speaking as a misguided corporate idealist dew-eyed shill, I resent your attempt to categorize me as either one thing or another. I am magnificent in my complexity.

      • So pointing out the shining flaw of cloud computing is Troll material? Pathetic.

        No. Blaming the cloud for what amounts to stupid users when the cloud is neither the source nor the solution to the problem is worthy of a "troll" mod. Pathetic is those people who think the kind of idiots that got into this mess wouldn't be in the same position without the cloud (I'd put my money on either a dev server being open public to the internet from their networks, or someone never checking if their backup script actually backs up anything).

    • by msauve ( 701917 )
      Maybe I'm missing something here, being a naive and infrequent user of git (and who's certainly using the wrong terminology below).

      But, isn't the idea that git duplicates code you have locally, and the web version only changes with your approval? And even if the web version were to completely change or disappear, you'd still have the local version unless you did a "pull sync" which copied the web changes to the local code? And, there's no reason to do a "pull sync" unless you're consciously accepted change
      • What you did was failed to read even the summary at the top of this page. None of this has to do with code being missing. what they are threatening to do is release the code publicly. so this is proprietary code. That is what this is about. Backups will not help here. You could have saved some time if you simply read the summary.
        • "pull sync"

          What you did was failed to read even the summary at the top of this page....

          Oh stop it. Parent quoted "pull sync".

          1) They obviously missed the critical part, glad you filled them in. But quit with the insults. They freely admit they're in the deep end.
          2) Why is there not a mod for "+1 cute"? As a frequent git user, I love/can't stop laughing at the "pull sync" quote. Probably because I have Stockholm syndrome and "love" git so much.

    • It's more yours using the cloud than it is storing it at home. Or are you somehow implying that the Venn Diagram of idiots who can't use a proper password / protect their security tokens and idiots who don't have a functioning backup / business continuity strategy isn't massively overlapped?

      This as usual shows that the "cloud" is perfectly safe, but it doesn't fix stupid users. Those same stupid users would be the ones that run backups and never check that they work, or expose their dev server on the intern

  • I'm not affected. (Score:5, Insightful)

    by grep -v '.*' * ( 780312 ) on Friday May 03, 2019 @06:09PM (#58535904)
    I'm not affected. All my code is public, anyway.

    The hacker claims all source code has been downloaded.

    $600 is cheap to recover your code (A: where's your backups? B: Now's a good time to think about making it public.)

    But *IF* I was going to pay, the first thing I'd email back (if possible) is: I don't believe you. Give me two random files of mine, each over 1,000 lines. Otherwise, NO.

    And: thanks for the security reminder! I'll do better in the future!

    • by Junta ( 36770 )

      If he can overwrite your 'private' git repository, then I would have no reason to doubt that he could have *read* from that same repository.

      • If he can overwrite your 'private' git repository, then I would have no reason to doubt that he could have *read* from that same repository.

        My git repository is write-only, you insensitive clod!

        - alternative response -

        HA! I'm still using CVS!

      • by gweihir ( 88907 )

        Actually, a lot of ransomware in the past could delete or encrypt your date, but could not get it back. This person may have deleted repos without keeping copies and the threat may be empty. Too many people will not verify this and pay anyways.

    • by dissy ( 172727 )

      But *IF* I was going to pay, the first thing I'd email back (if possible) is: I don't believe you. Give me two random files of mine, each over 1,000 lines. Otherwise, NO.

      That would only prove is the hacker has the files intact.
      As they had write access, they had read access too, so there is little reason to not believe they have the files.

      What I wouldn't believe is if they will give them all back after being paid.
      They can still provide a couple files in advance, then ignore you once they get your money.

      So if they actually didn't copy anything, that would certainly call them out on it.

      But in either case it doesn't really boost any amount of trust that they will still return e

    • by sjames ( 1099 )

      Don't forget though, your code has been in the hands of a known bad guy at that point. You can't trust it.

  • by rmdingler ( 1955220 ) on Friday May 03, 2019 @06:10PM (#58535914) Journal
    Trusting a criminal to conform to conditions set immorally is a bit like believing a leopard can cange its spots.
  • git push? (Score:2, Insightful)

    by mrsam ( 12205 )

    Kids these days... These script kiddies simply do not understand how git works. If some clown compromises github and wipes my repository, and I get this silly a ransom note, what's to stop me from simply pushing to another git repo elsewhere, like gitlab, sourceforge, or pagure? Presto -- the git repository gets instantly restored.

    Everyone who has cloned a git repo has a complete copy of the repo, that can be pushed anywhere, at a moment's notice.

    • by deKernel ( 65640 )

      So your reading comprehension is lack. Please re-read the article and understand the threat. Here, I will help you, the threat is releasing the code in the wild and not stealing of the code.....sheesh. More than likely, they are only going after business accounts.

  • by account_deleted ( 4530225 ) on Friday May 03, 2019 @06:26PM (#58535982)
    Comment removed based on user account deletion
    • by Ecuador ( 740021 )

      You don't even need a backup in this case. You (and everyone who works on this code) already have a clone of the repo on your machine, that's how git works!

    • If I may quite a colleage: "You don't get out much, do you?" There are many "serious developers" who have no idea of assuring the history and changes to their code, and many are blocked from discussing it by the strict responsibilities enforced by task segregation in their workgroups.

    • What makes you think someone who can't use a strong password / protect access tokens to their git repository knows how to take a bi-weekly air-gapped backup?

  • This is a problem?

    Why are you hosting your code elsewhere if you don't want it public?
    Why are you not securing it with basic protections (a strong, unique password)?
    Why do you not have a local copy?

    • by jythie ( 914043 )

      This is a problem?

      Why are you hosting your code elsewhere if you don't want it public?

      Sometimes it makes more sense to have a 3rd party handle your repo. Not every team wants to maintain their own server with a publicly accessible IP address.

      Why are you not securing it with basic protections (a strong, unique password)?

      If I am understanding the piece correctly, the hack involved finding publicly visible developer git client auth information. So probably people sharing directories and not realizing there were hidden files with information that could be used to access the repo.

      Why do you not have a local copy?

      It sounds like the threat was to release private code rather than delete the repo. Even wit

  • Hundreds of developers have had had Git source code repositories wiped and replaced with a ransom demand ...

    Can he wipe out extra verbs?

  • The hacker claims all source code has been downloaded and stored on one of their servers, ...

    They call their repository: Got

  • To everyone that posted something along the lines of, "OMG dude, why would anyone pay this ransom? Like, he could just re-upload the code, yo."

    This is referred to as being, "the fool that rushes in". If you ever read something that sounds just so totally absurd that you instantly see stupid everywhere, maybe re-read, or re-think the situation, please.

    • Indeed. This used to be a place for nerds. Now it looks like a bunch of underachievers lacking reading comprehension skills.

  • Comment removed based on user account deletion
  • $613?
  • The wallet is practically empty

  • I am going to crap my pants if my open source software is copied by a hacker and released publicly. There is no limit to the horror I will experience if my public goes becomes publicly available.
  • It seems like every single individual has to learn the hard way, at least once: Backups. Different kinds of backups, Online and offline backups. Automated backups, so that you don't have to remember to do it yourself - only: do check periodically that the automatic process hasn't broken. And the offsite stuff does require feet.

  • It's Git. It's distributed. That's the whole point. He has a copy of the history - so effing what? In the words of Vincent Hanna: "I am over-f*cking-welmed." [youtube.com]

    Anyway, I thank him for giving us a free lesson in being more careful about credentials in repos.

    • The problem is that you don't understand the *story*.

      The threat here is public release of the code, not deletion. Deleting it was just to get peoples attention.

  • For taking security as seriously as you usually do.

Whoever dies with the most toys wins.

Working...