Ransomware Attack Uses Bitcoin Ransom
GitHub is the world’s leading software development platform. Many developers use GitHub or a variation of it, such as the one hosted by Microsoft.
GitHub is currently faced with a new ransomware attack unlike any other ransomware attack in the past. This attack is very sophisticated as it requires zero interaction from a user to cause an infection.
The attackers go onto a repository, clear out all the source code, clear out all recent commits, store it all remotely, and then reach out to the owner. They require you send them proof of payment for 0.1 bitcoin (approximately $565 U.S.) and your login. They’re willing to send people a sample of their code in a manner similar to a severed finger as proof of their hack.
In total, 392 GitHub accounts have been compromised.
What Caused the GitHub Security Vulnerability
GitLab has notified any users affected by this hack and believes that one of the vulnerabilities leading to the hack was plain text passwords being stored on deployments of related repositories.
Additionally, Bitbucket is also reporting instances of the same type of hack, leading to a total estimate of at least 1000 victims of this attack. Despite that many people being affected, the hacker’s wallet as of May 3rd only showed 3 dollars from one payment.
Taking Action Against the Hackers
The ransom may not hold as much gravity if users are also able to figure out how to recover without the aid of the hackers holding their data ransom. As it turns out, Stefan Gabos figured out that the data was not deleted from his affected GitHub, and he posted on Stack Exchange a series of commands that can fix the hack if you happen to have a clone of the data on your work station.
Starting out, running
git reflog will show all your commits. Stefan thinks they never ran a clone on the repository because of the logistics and that it would be time-consuming having to do this for every victim. Running
git checkout origin/master shows the attackers commit, and git checkout master shows all your files. To fix the origin/master, you’ll need to run the following;
Doing this will now require us to fix the HEAD. This is where your local copy of your repo comes in handy, as running git push origin HEAD:master –force will restore your repository back to full health. Visit Stack Exchange to learn more and join the conversation.
How to Prevent a GitHub Security Breach in Your Repositories
In a 2015 article, the team over at Internetwache.org wrote about the dangers of exposing your version control repository to the world. It can be used to gain access to a sites source code. The exploits are found in things like git-VCS, SVN, Mercurial, Bazaar and others. It’s often the case that developers simply clone their repository to put in production and overlook restricting the client side repositories, creating the vulnerability for various automated tools to extract entire repositories with a single command. Any directory that’s listed can be snatched up with
wget --mirror -I .git TARGET.COM/.git/ so it’s best to delist directories, to begin with.
Securing your GitHub is important as it sits out on the public infrastructure and can thus be a sitting target for attackers. Maximizing restrictions to the code and the deployment help keep your code base secure and intact. Remember to use long passwords, as length equals strength. For an easy to use tool to create strong and long passwords that are easy to remember, be sure to try out Diceware.
Need Help Resolving Open Source Issues?
Rogue Wave OpenLogic open source architects are available to assist you with this and other popular open source solutions. Contact us today.