Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Password Reuse, Misconfiguration Blamed for Repository Compromises

Armed with stolen credentials from another breach or from a misconfigured file, attackers delete developers' repositories on GitHub, Bitbucket, and GitLab, leaving behind ransom notes.

Atlassian's Bitbucket, GitHub, and GitLab notified hundreds of developers over the weekend that their accounts on those repository services were breached and their code deleted by attackers using credentials harvested from another site or misconfigured files.

The accounts of more than an estimated 1,000 developers were impacted by the attack on the three services. In each case, the attackers deleted the victim's code repository and left behind a ransom note demanding a tenth of a bitcoin — about $570 — to restore the data.

Atlassian, which declined to say how many of the users of its Bitbucket service were affected, notified developers whose accounts were impacted and blamed password reuse for the attackers' ability to compromise the service.

"During this attack, a third party accessed your repository by using the correct username and password for one of the users with permission to access your repository," the company stated in a notification to affected users. "We believe that these credentials may have been leaked through another service, as other git hosting services are experiencing a similar attack."

The attack highlights the dangers of mishandling passwords. Reportedly, 392 GitHub users were impacted by the attack, although only 320 users' repositories are currently showing signs of the ransom note. Bitbucket appears to have blocked search results for affected users, while GitLab does not have facilities for searching through repositories.

Reusing the same password on different services is a problematic habit of online users that can undermine security. In addition, developers often unwittingly leave passwords in files that are published to public repositories. None of the services hosting affected developers' repositories found signs of a compromise. Instead, attackers logged onto them from an unrecognized Internet address using valid credentials and then deleted the victim's code. 

"GitHub has been thoroughly investigating these reports, together with the security teams of other affected companies, and has found no evidence GitHub.com or its authentication systems have been compromised," the company said. "At this time, it appears that account credentials of some of our users have been compromised as a result of unknown third-party exposures. We are working with the affected users to secure and restore their accounts."

GitLab started investigating the issue on Sunday, after one developer reported that its code had been deleted. The organization concluded that the breach may have occurred when developers mistakenly published passwords stored in another repository.

"We have identified affected user accounts, and all of those users have been notified," a GitLab spokesperson said. "As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository."

Atlassian also urged users to not leave passwords in files that may be replicated into public repositories.

The repositories of affected users were deleted by the attackers and replaced with a ransom demand, reading: "To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address [deleted] and contact us by Email at [email protected] with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise."

Companies underscored that two easily implemented security measures — a password vault and two-factor authentication — could have prevented the attack by limiting the use of stolen credentials.

"We strongly encourage the use of password management tools to store passwords in a more secure manner and enabling two-factor authentication wherever possible, both of which would have prevented this issue," GitLab's spokesperson said.

Security professionals urged developers to use more care in managing their repositories, especially for projects that produce the open source components used as the foundation of many development projects. Two-factor authentication should be required for anyone who is committing to a broadly used software project, said Craig Young, computer security researcher in the vulnerability and exposure research team at security firm Tripwire, in a statement sent to Dark Reading.

"This is especially important for accounts which can make commits into source code repositories," he said. "Although this attack was very noisy, someone else could also stealthily put ransomware in various software libraries, which are in turn used by other projects. Considering open source is used at least in part by the vast majority of popular software packages, GitHub becomes a very critical point of failure for modern supply chain security."

For the most part, compromised accounts could easily be restored by using a git command to upload the latest repository from the affected developer's system, GitLab stated in an advisory

"We believe that no data has been lost, unless the owner/maintainer of the repository did not have a local copy and the GitLab copy was the only one," the company stated. "In some cases, repository files were changed. After updating account credentials, we recommend making use of git commands to restore your repository to its previous state."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.