Last week, it was reported a hacker was ransoming data taken from various software development repositories. The thief had been stealing source code and commits from GitHub, Bitbucket, and GitLab users and replacing it with a demand for 0.1 Bitcoin ($578). The cybercriminal also threatened to publicize their victims’ code if they don’t pay up by May 13.
According to ZDNet, the hacker has breached the repositories of nearly 400 GitHub coders. Vice reported at least 1,000 BitBucket developers have also been affected. However, their plot doesn’t seem to have succeeded. As of this writing, the criminal operator’s Bitcoin address only has a record for one transaction totaling $3.04. The thief’s account has also been reported 36 times in connection with ransomware attacks from May 2-6.
GitLab’s security director, Kathy Wang, confirmed the data breach and told ZDNet the firm is contacting affected users.
How the Hacker Gained Access to User Repositories
The cybercriminal behind the Git repository thefts didn’t subvert GitHub, Bitbucket, and GitLab’s security. Instead, they scoured the internet for plaintext files containing repository user login information. Cybersecurity firm Bad Packets Report actually detected the hacker’s scans for Git configuration files but dismissed it as harmless.
Dang, I thought all those "/.git/config" scans we detected were harmless. Guess we know what the goal was now.
— Bad Packets Report (@bad_packets) May 3, 2019
ZDNet noted the thief likely hacked user accounts using old applications developers connected to their code repositories. Though the programmers no longer used those apps, they made the mistake of not clearing out their login information. GitLab noted their investigation indicated that was exactly how the cybercriminal was able to steal so much data.
The code development host also recommended consumers use password managers and two-step authentication to prevent similar hacks in the future.
A developer’s greatest nightmare is losing their code but there are a few possible solutions for affected repository users. A member of the StackExchange forum found a way for the criminal’s victims to possibly restore their code. A Twitter user also noted that the platform’s version control feature should allow developers to recover their work.
Unfortunately, none of the solutions presented can keep the hacker from publishing users proprietary code.
A New Threat on the Horizon?
Currently, the hacker’s ransomware attack has affected less than 1,500 public repository users. But services like GitHub are also used by large corporations like Tencent, Xiaomi and Microsoft. If cybercriminals access one of their private repositories, they’ll likely demand a much more than $578.
Furthermore, while the May 2 hacker didn’t receive much financial return from their scheme, other bad actors might have better luck. Global conglomerates have a greater incentive to keep their proprietary data private than individual coders.
It’s also worth noting GitHub, Bitbucket, and GitLab is not the only repositories to suffer a hack recently. Last month, a firm called Docker suffered a data breach that resulted in the theft of login information of more than 190,000 users.
The company sells operating system-level virtualization tools used by developers from Facebook, Google, and PayPal. Consequently, those corporations’ architecture software could be in danger of subversion. Even worse, hackers stole enterprise login tokens for GitHub and BitBucket in the April hack. The corporation noted it revoked affected GitHub access credentials.
Docker’s investigation into its data breach and its full implications are still ongoing.