Git repository deleted – developers blackmailed!

M.Sc. Chris Wojzechowski

Git repository deleted – developers blackmailed!

The blackmail business has been flourishing on the Internet for quite some time – a new scam is now hitting developers who are deleting the public git repository. All that remains is a note with the wallet, to which approx. 0.1 bit coins are to be transferred in order to get back to the data.

The developers are not completely innocent. Since most developers have a local repository, the damage is limited. Interesting and critical to the same is the attack anyway.

Two-Factor-Auth would have prevented blackmail wave

The linchpin of the attack is, as so often, the access data. Initially it was speculated whether the data was guessed – i.e. whether a brute force attack was used. However, this suspicion was quickly dispelled. After a short research it turned out that the access data was uploaded by the user.

The attackers were able to download the access data in plain text from the ./git/config file. Out of convenience and carelessness one takes this step. Basically there is nothing against creating such a file – but of course it should not find its way into the public Git repository.

As additional security, two-factor authentication should be enabled. This does not offer 100% security either, but avoids exploiting such careless mistakes. Meanwhile all larger codehosters, such as GitLab, offer this service.

Pay Bitcoin – otherwise the Git repository will be deleted!

After attackers successfully logged into the account, the data was deleted. As soon as the git repository has been deleted, only a short message remains. There the developers are blackmailed. The attackers want 0.1 bitcoin within 10 days.

If the developer does not follow the request, the data is finally deleted. The attacker claims to have pulled a copy of the repository. If the developer doesn’t have a local repository, things get tight. If you have a complete copy of the repository, you can restore it with the following command:

git push origin HEAD:master --force

Private, free repositories are affected. GitLab offers a service for commercial customers that warns against credentials in the repository.

A reminder of those who didn’t believe in an attack

The easiest prey is the one that doesn’t see itself as a prey. So also in this case. For the general public, public repositories are an important place to go. Often there is the assumption that one is simply not interesting for an attack. This incident proves the opposite. At the end of the day, however, this is good for everyone.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.
AWARE7 GmbH - Logo

+49 (0) 209 - 8830 6760

info@aware7.de

Google Plus Code F4X5+M2

Company

AWARE7 GmbH
Munscheidstr. 14
45886 Gelsenkirchen
Imprint | Privacy

About us
Open positions

Resources

Free e-learning
Downloads
Projects