Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Password Reuse, Misconfiguration Blamed for Repository Compromises

Armed with stolen credentials from another breach or from a misconfigured file, attackers delete developers' repositories on GitHub, Bitbucket, and GitLab, leaving behind ransom notes.

Atlassian's Bitbucket, GitHub, and GitLab notified hundreds of developers over the weekend that their accounts on those repository services were breached and their code deleted by attackers using credentials harvested from another site or misconfigured files.

The accounts of more than an estimated 1,000 developers were impacted by the attack on the three services. In each case, the attackers deleted the victim's code repository and left behind a ransom note demanding a tenth of a bitcoin — about $570 — to restore the data.

Atlassian, which declined to say how many of the users of its Bitbucket service were affected, notified developers whose accounts were impacted and blamed password reuse for the attackers' ability to compromise the service.

"During this attack, a third party accessed your repository by using the correct username and password for one of the users with permission to access your repository," the company stated in a notification to affected users. "We believe that these credentials may have been leaked through another service, as other git hosting services are experiencing a similar attack."

The attack highlights the dangers of mishandling passwords. Reportedly, 392 GitHub users were impacted by the attack, although only 320 users' repositories are currently showing signs of the ransom note. Bitbucket appears to have blocked search results for affected users, while GitLab does not have facilities for searching through repositories.

Reusing the same password on different services is a problematic habit of online users that can undermine security. In addition, developers often unwittingly leave passwords in files that are published to public repositories. None of the services hosting affected developers' repositories found signs of a compromise. Instead, attackers logged onto them from an unrecognized Internet address using valid credentials and then deleted the victim's code. 

"GitHub has been thoroughly investigating these reports, together with the security teams of other affected companies, and has found no evidence GitHub.com or its authentication systems have been compromised," the company said. "At this time, it appears that account credentials of some of our users have been compromised as a result of unknown third-party exposures. We are working with the affected users to secure and restore their accounts."

GitLab started investigating the issue on Sunday, after one developer reported that its code had been deleted. The organization concluded that the breach may have occurred when developers mistakenly published passwords stored in another repository.

"We have identified affected user accounts, and all of those users have been notified," a GitLab spokesperson said. "As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository."

Atlassian also urged users to not leave passwords in files that may be replicated into public repositories.

The repositories of affected users were deleted by the attackers and replaced with a ransom demand, reading: "To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address [deleted] and contact us by Email at [email protected] with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise."

Companies underscored that two easily implemented security measures — a password vault and two-factor authentication — could have prevented the attack by limiting the use of stolen credentials.

"We strongly encourage the use of password management tools to store passwords in a more secure manner and enabling two-factor authentication wherever possible, both of which would have prevented this issue," GitLab's spokesperson said.

Security professionals urged developers to use more care in managing their repositories, especially for projects that produce the open source components used as the foundation of many development projects. Two-factor authentication should be required for anyone who is committing to a broadly used software project, said Craig Young, computer security researcher in the vulnerability and exposure research team at security firm Tripwire, in a statement sent to Dark Reading.

"This is especially important for accounts which can make commits into source code repositories," he said. "Although this attack was very noisy, someone else could also stealthily put ransomware in various software libraries, which are in turn used by other projects. Considering open source is used at least in part by the vast majority of popular software packages, GitHub becomes a very critical point of failure for modern supply chain security."

For the most part, compromised accounts could easily be restored by using a git command to upload the latest repository from the affected developer's system, GitLab stated in an advisory

"We believe that no data has been lost, unless the owner/maintainer of the repository did not have a local copy and the GitLab copy was the only one," the company stated. "In some cases, repository files were changed. After updating account credentials, we recommend making use of git commands to restore your repository to its previous state."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.