According to the latest news, GitHub was attacked by hackers, hundreds of code were stolen, and hackers used this to extort bitcoin.
However, this is probably just a farce. Why do you say that?
Da Lao was robbed and gave money to “people”
According CNBeta reported that the hackers were looted GitHub extortion, Microsoft seems to be spared.
Microsoft has confirmed that its open source platform was also attacked by hackers on the 5th, and was also required to pay in order to return the 392 open source code that was stolen. These codes and submitted information were deleted by the account named “gitbackup”.
From the content of the message, the hacker has removed all the GitHub code of the victim and the recently submitted Repo, leaving only a ransom note of 0.1 bitcoin (about ¥3850).
The ticket reads: “To recover the lost code, please send 0.1BTC to the bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and send the Git login information and proof of payment to firstname.lastname@example.org. If you are not sure if you have your data , can transmit information for verification. If payment is not received within 10 days, the code will be published or used in other ways.”
Upon hearing the news, GitHub replied: “We are in contact with affected users to protect and restore their accounts.” The BitcoinAbuse platform shows that the Bitcoin address has not yet received a ransom.
GitHub recommends that users turn on dual identity verification to add security to their account.
The attack began on May 3, and in addition to GitHub, multiple code hosting platforms such as Bitbucket and GitLab were also affected.
Seemingly serious, in fact, farce?
From the message, the hacker removed all the data from the repository, but is that true?
The code is still
Kathy Wang, GitLab Security Director, responded to the cyberattack: “We have identified the affected user accounts and notified all users. Based on the survey results, we have sufficient evidence that the account passwords of the damaged accounts are stored in clear text in the relevant repository. deploy.”
In other words, Kathy Wang believes that the hacker’s alleged removal of all the data stored in the library is not true. Isn’t it all deleted? What do you say? In fact, this is the conclusion of a member of the StackExchange Security Forum who conducted an in-depth study of the attack.
The study found that “in general, the git reflog flag shows all the data submitted, which means that it is very difficult for an attacker to copy each repository, so that they have low chances to search for sensitive data or open code. This attack is more like a random, large-scale attack, and the attack itself is generated by the program file.”
They found that the hacker did not seem to completely remove the information from the blackmail bill, but only changed the Git submission header, which means that the data is likely to be recoverable under certain circumstances.
2. Attack analysis
To find these attackers, StackExchange researchers did a fishing experiment :
First, they enabled some private storage libraries, some of which were modified into weak passwords that were easy to crack, removed access tokens that were not used for more than a year, and the other part remained unchanged. The researchers then sent an email to GitLab, hoping that they would promptly notify the attacker of the entry/exit entry point when performing the attack, as well as the content of the operation during the period.
The researchers said that although the weak password starts with “a” and only has the word “az”, the attacker does not doubt whether it is a trap specifically set for “fishing”. In fact, the study found that the attacker queried the account through an automated check and executed a series of git commands.
“If this is their way of intrusion, it means that our linked GitLab / GitHub mail and password are also leaked to the account list. In the first hour of this happening, Google search did not show any irregular reaction. .”
Another irregularity is that the researchers must have used the place and location of the access token before, but the result is that the computer automatically generates everything, so the suspicion is the problem. In addition, there are four developers who can use the experimental repository, which means their accounts may be attacked.
After further research, the whole process does not seem to show obvious intrusion attacks. “I used BitDefender to scan my computer but I couldn’t find any traces. I am sure my computer is not infected with malicious software/trojans, so this will not be the case.”
The researchers mentioned: “The experimental process uses the latest version of SourceTree, which makes me wonder if my SourceTree or system (Windows 10) has a vulnerability. Of course, everything is just an analysis.”
Currently, StackExchange is getting more information (if any) with GitLab to help with the recovery plan.