Password Reuse, Misconfiguration Blamed for Repository CompromisesArmed with stolen credentials from another breach or from a misconfigured file, attackers delete developers' repositories on GitHub, Bitbucket, and GitLab, leaving behind ransom notes.
Atlassian's Bitbucket, GitHub, and GitLab notified hundreds of developers over the weekend that their accounts on those repository services were breached and their code deleted by attackers using credentials harvested from another site or misconfigured files.
The accounts of more than an estimated 1,000 developers were impacted by the attack on the three services. In each case, the attackers deleted the victim's code repository and left behind a ransom note demanding a tenth of a bitcoin — about $570 — to restore the data.
Atlassian, which declined to say how many of the users of its Bitbucket service were affected, notified developers whose accounts were impacted and blamed password reuse for the attackers' ability to compromise the service.
"During this attack, a third party accessed your repository by using the correct username and password for one of the users with permission to access your repository," the company stated in a notification to affected users. "We believe that these credentials may have been leaked through another service, as other git hosting services are experiencing a similar attack."
The attack highlights the dangers of mishandling passwords. Reportedly, 392 GitHub users were impacted by the attack, although only 320 users' repositories are currently showing signs of the ransom note. Bitbucket appears to have blocked search results for affected users, while GitLab does not have facilities for searching through repositories.
Reusing the same password on different services is a problematic habit of online users that can undermine security. In addition, developers often unwittingly leave passwords in files that are published to public repositories. None of the services hosting affected developers' repositories found signs of a compromise. Instead, attackers logged onto them from an unrecognized Internet address using valid credentials and then deleted the victim's code.
"GitHub has been thoroughly investigating these reports, together with the security teams of other affected companies, and has found no evidence GitHub.com or its authentication systems have been compromised," the company said. "At this time, it appears that account credentials of some of our users have been compromised as a result of unknown third-party exposures. We are working with the affected users to secure and restore their accounts."
GitLab started investigating the issue on Sunday, after one developer reported that its code had been deleted. The organization concluded that the breach may have occurred when developers mistakenly published passwords stored in another repository.
"We have identified affected user accounts, and all of those users have been notified," a GitLab spokesperson said. "As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository."
Atlassian also urged users to not leave passwords in files that may be replicated into public repositories.
The repositories of affected users were deleted by the attackers and replaced with a ransom demand, reading: "To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address [deleted] and contact us by Email at [email protected] with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise."
Companies underscored that two easily implemented security measures — a password vault and two-factor authentication — could have prevented the attack by limiting the use of stolen credentials.
"We strongly encourage the use of password management tools to store passwords in a more secure manner and enabling two-factor authentication wherever possible, both of which would have prevented this issue," GitLab's spokesperson said.
Security professionals urged developers to use more care in managing their repositories, especially for projects that produce the open source components used as the foundation of many development projects. Two-factor authentication should be required for anyone who is committing to a broadly used software project, said Craig Young, computer security researcher in the vulnerability and exposure research team at security firm Tripwire, in a statement sent to Dark Reading.
"This is especially important for accounts which can make commits into source code repositories," he said. "Although this attack was very noisy, someone else could also stealthily put ransomware in various software libraries, which are in turn used by other projects. Considering open source is used at least in part by the vast majority of popular software packages, GitHub becomes a very critical point of failure for modern supply chain security."
For the most part, compromised accounts could easily be restored by using a git command to upload the latest repository from the affected developer's system, GitLab stated in an advisory.
"We believe that no data has been lost, unless the owner/maintainer of the repository did not have a local copy and the GitLab copy was the only one," the company stated. "In some cases, repository files were changed. After updating account credentials, we recommend making use of git commands to restore your repository to its previous state."
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.