The blackmail business has been flourishing on the Internet for quite some time – a new scam is now hitting developers who are deleting the public git repository. All that remains is a note with the wallet, to which approx. 0.1 bit coins are to be transferred in order to get back to the data.
The developers are not completely innocent. Since most developers have a local repository, the damage is limited. Interesting and critical to the same is the attack anyway.
Two-Factor-Auth would have prevented blackmail wave
The linchpin of the attack is, as so often, the access data. Initially it was speculated whether the data was guessed – i.e. whether a brute force attack was used. However, this suspicion was quickly dispelled. After a short research it turned out that the access data was uploaded by the user.
The attackers were able to download the access data in plain text from the ./git/config file. Out of convenience and carelessness one takes this step. Basically there is nothing against creating such a file – but of course it should not find its way into the public Git repository.
As additional security, two-factor authentication should be enabled. This does not offer 100% security either, but avoids exploiting such careless mistakes. Meanwhile all larger codehosters, such as GitLab, offer this service.
Pay Bitcoin – otherwise the Git repository will be deleted!
After attackers successfully logged into the account, the data was deleted. As soon as the git repository has been deleted, only a short message remains. There the developers are blackmailed. The attackers want 0.1 bitcoin within 10 days.
If the developer does not follow the request, the data is finally deleted. The attacker claims to have pulled a copy of the repository. If the developer doesn’t have a local repository, things get tight. If you have a complete copy of the repository, you can restore it with the following command:
git push origin HEAD:master --force
Private, free repositories are affected. GitLab offers a service for commercial customers that warns against credentials in the repository.
A reminder of those who didn’t believe in an attack
The easiest prey is the one that doesn’t see itself as a prey. So also in this case. For the general public, public repositories are an important place to go. Often there is the assumption that one is simply not interesting for an attack. This incident proves the opposite. At the end of the day, however, this is good for everyone.
This post is also available in: Deutsch (German)