Offensive Security

Git repository deleted – developers blackmailed!

Git repository deleted – developers blackmailed!

The blackmail business has been flourishing on the Internet for quite some time – a new scam is now hitting developers who are deleting the public git repository. All that remains is a note with the wallet, to which approx. 0.1 bit coins are to be transferred in order to get back to the data.

The developers are not completely innocent. Since most developers have a local repository, the damage is limited. Interesting and critical to the same is the attack anyway.

Two-Factor-Auth would have prevented blackmail wave

The linchpin of the attack is, as so often, the access data. Initially it was speculated whether the data was guessed – i.e. whether a brute force attack was used. However, this suspicion was quickly dispelled. After a short research it turned out that the access data was uploaded by the user.

The attackers were able to download the access data in plain text from the ./git/config file. Out of convenience and carelessness one takes this step. Basically there is nothing against creating such a file – but of course it should not find its way into the public Git repository.

As additional security, two-factor authentication should be enabled. This does not offer 100% security either, but avoids exploiting such careless mistakes. Meanwhile all larger codehosters, such as GitLab, offer this service.

Pay Bitcoin – otherwise the Git repository will be deleted!

After attackers successfully logged into the account, the data was deleted. As soon as the git repository has been deleted, only a short message remains. There the developers are blackmailed. The attackers want 0.1 bitcoin within 10 days.

If the developer does not follow the request, the data is finally deleted. The attacker claims to have pulled a copy of the repository. If the developer doesn’t have a local repository, things get tight. If you have a complete copy of the repository, you can restore it with the following command:

git push origin HEAD:master --force

Private, free repositories are affected. GitLab offers a service for commercial customers that warns against credentials in the repository.

A reminder of those who didn’t believe in an attack

The easiest prey is the one that doesn’t see itself as a prey. So also in this case. For the general public, public repositories are an important place to go. Often there is the assumption that one is simply not interesting for an attack. This incident proves the opposite. At the end of the day, however, this is good for everyone.

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.