'Deliberate Attack' Deletes Shopping App's AWS and GitHub Resources

The CEO of Indian grocery ordering app KiranaPro has claimed an attacker deleted its GitHub and AWS resources in a targeted and deliberate attack and vowed to name the perpetrator. From a report: KiranaPro lets users shop at "Kiranas," the Indian equivalent of convenience stores, which mostly stock basic foodstuffs. Users of the app place an order, which KiranaPro sends to nearby Kiranas who bid to win the sale. The winner arranges delivery of the goods. The elapsed time from ordering to delivery seldom tops 20 minutes.

KiranaPro CEO Deepak Ravindran claims the app "powers the livelihoods of thousands of Kirana store owners" and handles 2,000-plus orders each day. Ravindran also claims the app was destroyed by someone who holds a grudge. "Our startup @Kirana_Pro was deliberately hacked -- entire GitHub repo & AWS data wiped. Logs suggest malicious insider action," he wrote on June 3rd. The attack happened last week, and the app has been inoperable since.

"Insider action"?

[CommunityMember]

If you can't trust your own people, well, why did you not require multi people to authorize the actions? Sounds like a few lessons could be learned here (that verified backups can be a good thing (AWS supports the concept of immutable backups and permissions can prevent deletion), and, of course, git never deletes anything, if anyone has a recent checkout one can revert any deletions).

Re:

[pjt33]

You can recover the code from a local repository, but github contains more than the code. Apparently it is possible to backup the issues, wiki, etc. but it requires actual planning.

Re:

[coofercat]

Indeed - Github has high availability, but you should do your own backups. Given the Github and AWS stuff got deleted though, I'd imagine any Github backups would be in an S3 bucket, so would also have been deleted.

This guy clearly has/had a trust issue in his organisation - there's probably a whole chain of events, of which this is the last. In fairness though, few people think "I'll backup my Github, but I'll do it into a different cloud provider than my main one - just in case my main one gets destroyed"

Re: "Insider action"?

[sodul]

I recently left the workforce but we did use GitHub and we did backups to separate read only repositories (archived through admin privileges) and also a separate GitHub org limited to a handful of employees. Furthermore our CI/CD system had several cached copies of the repositories in AWS (to improve the performance) which means these are full git clones to recover from. Finally most devs will have a full clone on their laptop.

We also use terraform to manage most, but not all (not all settings are manageabl

Why not blame it on an AI?

[thesjaakspoiler]

an Actual Indian.

Re:

[93 Escort Wagon]

Maybe it was an American Indian?

Deliberate insider attack...

[93 Escort Wagon]

That certainly sounds better than "incompetent employee (or owner) screwup".

I mean, come on, if someone "wiped" their github repo - whether maliciously or incompetently - is the guy saying that no one else anywhere has a reasonably up-to-date local copy of it? Oh, and there are no backups anywhere either?

Re:

[phantomfive]

The owner doesn't seem like a very good person to work for. He easily could make his employees want revenge.

Re: Deliberate insider attack...

[madbrain]

At a big tech firm I worked at, we referred to these as "FBI", aka full-blown insider attacks.

Of course, that's because the insiders in question are sometimes employees of three letter agencies.

But any company no matter its scale should consider insider risk.

Rarely hacking; usually incompetence

[EreIamJH]

All those Russia / China / Iran / North Korea hacks? A reliable translation is "The IT guy pressed delete and it turns out our backup server hasn't been working for the last month".

Re:

[Compaq Disk Rereader]

Oh shut up.

Ouch.

[buss_error]

entire GitHub repo & AWS data wiped.

I've my github residing in many places because it's used in many places. Just push it to a git repo. May lose anything newer than your copies..... Surely no one is more than a few days behind that's a dev? I know git has restored deleted repo's, usually one's they've deleted though.

The storage is a bit more problematic Object stores may have retained undeleted but tombstoned objects due to several factors, the real world not being perfect, but I wouldn't count on anything being recoverable, or coherent. Object stores only keep copies when you DON'T tell them to delete them (Or LEO comes by with an NSA letter. That can get aggravating because it keeps billing the customer when they've issued a delete. So you have to... well, be careful!)

Re:

[mjwx]

entire GitHub repo & AWS data wiped.

I've my github residing in many places because it's used in many places. Just push it to a git repo. May lose anything newer than your copies..... Surely no one is more than a few days behind that's a dev? I know git has restored deleted repo's, usually one's they've deleted though.

The storage is a bit more problematic Object stores may have retained undeleted but tombstoned objects due to several factors, the real world not being perfect, but I wouldn't count on anything being recoverable, or coherent. Object stores only keep copies when you DON'T tell them to delete them (Or LEO comes by with an NSA letter. That can get aggravating because it keeps billing the customer when they've issued a delete. So you have to... well, be careful!)

The lesson is redundancy is not backup. Had a customer with an exchange server that wasn't backed up because it was replicated across 4 different locations in 3 countries (US, Mexico and Canada) until one day they got crytolockered and found out that all their sites got locked at once. That was an expensive mistake for a company that was already on deaths door.

Always have a backup.

Re:

[Midnight Thunder]

Here it’s is more than backup or redundancy. It’s also about limiting the ability of one bad actor to wipe out both the redundant copies and the backups. This likely means a push location, with versioning, that requires someone else’s keys to delete repositories.

Re:

[unrtst]

Object stores only keep copies when you DON'T tell them to delete them ...

FWIW, that's not a universal fact. Azure storage defaults to a soft delete (7 days) for blobs and containers, and a checkbox would enable versioning and immutable versioning.

I doubt that matters though. I don't know what AWS resources were deleted, but many of them have no convenient backup/restore option built in. If it was all deployed via code from the start, and you still have that code, it should be easy to redeploy; It's more likely they didn't have 100% of things built that way, and backup/restore of

Re:

[Hadlock]

The big issue is they wiped out their ci/cd and more importantly their entire AWS platform the system runs on. Sure you can probably re-deploy the code, but if it's not infrastructure as code then a lot of that stuff is bespoke hand-wired stuff and there's probably no backups for the config files etc. Maaaaybe you can deploy everything on a giant EC2 instance but you still lost all your database backups which means all your customers now have to create new logins, you need to create a new account with your

Backups

[ledow]

So where's your offline airgapped backup?

And I mean... it's being developed via git, right? So you have all your local copies of all your repos including full history. So you haven't lost ANY code, right?

The AWS data that's critical to the operation of the app would obviously be being backed up elsewhere occasionally, right?

Re:

[sg_oneill]

Possibly on the laptop of the agrieved ex employee. Who likely will get snagged by the indian feds when he tries to sell it to a competitor who NOPES right out of it and yeets his detail to the cops.

Re:

[gweihir]

This is India. The cops are more likely to act as brokers for that data...

Re:

[arglebargle_xiv]

You don't need one, it's in The Cloud, and The Cloud is safe and secure and reliable and... and stuff.

Re:

[bill_mcgonigle]

The issue is going to be if the malicious actor "permanently deleted" the AWS and Github accounts. Domain registration, DNS, internal checkout scripts tied to a github account, etc.

The backups, if they exist, are the easy part of this DR Scenario.

Not that anybody writes DR plans anymore or that any of the Big Tech sites support Shamir's Secret Splitting for account deletion (or offer real customer service).

This aspect of IT is the most highly neglected, aside from workers' rights and competitive pay.

Re:

[gweihir]

This aspect of IT is the most highly neglected

Yes. And because that combination of greed, arrogance and stupidity, Europe is now regulating more businesses under the NIS2 directive. Eventually, all businesses beying a few employees and beyond very small turnover will get regulated and then BCM, DR, offline backups, etc. are mandatory. The econimic damage of not doing these is just getting far too high. And one again, businesses fail to sefl-regulate, because they actually cannot.

Re:

[gweihir]

Naa, they do not have any of that. Bright-eyed greedy morons that cannot even get the basics right. There are enough other examples of that today.

Bidding wars?? The hell is that.

[geekmux]

Users of the app place an order, which KiranaPro sends to nearby Kiranas who bid to win the sale.

Something smells me a certain Kirana store owner refused to bid that low and was rarely winning bids, while another store was/is perhaps taking orders at a loss every now and then to “compete” better.

On the surface it sounds enticing for consumers if their order is being fought over to offer the lowest price. However, I just outlined the problems that can manifest quickly for a business owner in a highly competitive space. Grocery margins are already razor thin in most cases.

Re:

[Tha_Zanthrax]

What would be the problem?
The customers get lower prices, that's a win.
And if the surviving shop raises it's prices after bankrupting it's competition it will get undercut by others.
The only way you can maintain that monopoly is to also raise the barrier to entry for competitors with regulation like licenses.
The free market works on it's own and stops working when you let government turn the knobs.

Re:

[Pieroxy]

The free market works on it's own

The planet may disagree though.

Re:

[bill_mcgonigle]

Don't forget about Bankruptcy - suppliers get stiffed by Courts.

If it's a start-up/salary/loss/bankruptcy scheme the payers are the suppliers of product, rent, investors, utilities, etc.

Not that I've seen any evidence of misdeeds in this case. Just be careful in assuming Bankruptcy isn't corporate welfare.

Invoicing has its conveniences but it's a tradeoff with cash-on-the-barrel certainty.

Personally I prefer cash and prepaid services. YMMV.

Re:

[Compaq Disk Rereader]

The free market works on it's own and stops working when you let government turn the knobs.

You do realize nobody credible actually believes this and it's only propaganda invented by the business community so they could dump leftover chemicals in a hole and swindle old ladies out of retirement without interference.

Re:

[Tha_Zanthrax]

I don't buy the idea that government can fix problems.
At best it creates just as many new problems.

Either corporations want government because it works in their benefit, for example by making it harder for competitors to get into their business.
Or corporations do not want government since it stops them from doing whatever they want.
The fact that they don't all support the libertarian party shows which of the two it is.

Re:

[Compaq Disk Rereader]

Libertarian party? The one who used to be chummy with nambla?

Re:

[gweihir]

I don't buy the idea that government can fix problems.

That is because you are stupid and badly educated.

Re:

[geekmux]

What would be the problem? The customers get lower prices, that's a win. And if the surviving shop raises it's prices after bankrupting it's competition it will get undercut by others. The only way you can maintain that monopoly is to also raise the barrier to entry for competitors with regulation like licenses. The free market works on it's own and stops working when you let government turn the knobs.

That "free market" in many areas of shopping, is called Amazon now.

Selling at a loss every now and then, is one thing. Selling at a loss until you destroy the competition is about as good for competition as hedge funds betting against success is.

Getting undercut by others only works if you haven't scared everyone else from even considering entering that market.

Re:

[gweihir]

The free market works on it's own

Only problem with that: The free market is a complete hallucination. It is not real and it cannot be real.

Re:

[gweihir]

Biding only works longer-term if nobody can dominate the market. That is rarely the case. But the terminally stupid "free market" fanbois so love the idea.

BACKUP, RESTORE, TEST

[gavron]

The 1970s are calling.

They say if you have any clue about IT you should have
- regular backups

You should
- restore those backups

You must
- Test those backups

Didn't do ANY OF THOSE THINGS? You are the weakest link. Goodbye.

Re:

[gweihir]

What, you mean like halfway professional IT ops? Naa, cannot have that, that cost _money_!

In other news, greedy cretins continue to do damage.

Bullshit language is bullshit

[gweihir]

First, all attacks are "deliberate". Second, "person vows to do something" is a completely meaningless statement that says absolutely nothing.

The human race is confidently continuing its journey to peak stupid...