Someone is hacking, deleting GitHub repositories for Bitcoins
Reportedly, GitHub has been hit by hackers who are hijacking private code repositories and deleting them in order to blackmail their owners for ransom. They then ask for Bitcoins with a promise of restoring the deleted data, according to a report in Motherboard. Similar cases have been reported on other Git hosting services, including BitBucket and GitLab. Here are the details.
Project, codes being replaced with ransom message
Several Git service developers have reported a break-in, where their repository was removed and replaced with a demand for Bitcoins. As part of the attack, the hackers left a note saying all source code and recent commits have been downloaded by them and they would make it public or use it themselves if the owner won't agree to pay $570 in bitcoins.
Hundreds of developers likely compromised
While a small bunch of developers has reported the attack, the exact number of victims could be much larger. BitBucket, on its part, says some 1,000 developer repositories may have been compromised on the basis of internal and online estimates. Meanwhile, a search for the attackers' address on GitHub revealed as many as 392 ransomed projects, ZDNet reported.
Dozens of developers even reported Bitcoin address abuse
In addition to this, the Bitcoin address shared by the attackers has been reported dozens of times, 27 to be exact, on BitcoinAbuse.com - the tracking malicious activity through Bitcoin addresses. It's also worth noting that the address has only received a single $3 payment.
However, no word on how they're hijacking these repositories
The attack carried out here is different from a typical ransomware attack, where hackers lock-in your PC and demand money. Here, they removed the data from an online platform in what can be described as a well-coordinated attack. There is no word on how they are doing it but some compromised developers have admitted to using weak passwords.
GitLab's director of security Kathy Wang says they extracted passwords
"We have strong evidence that the compromised accounts have account passwords being stored in plaintext on deployment of a related repository. We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible."
Also, there might be a workaround for you
Now, for some case, security researchers from StackExchange have found that the hackers didn't delete the repository but altered Git commit headers, which means they can be recovered. They have shared the recovery process, but if that doesn't work, we recommend getting in touch with the Git hosting service you are using before jumping to paying the ransom; they will fix it for you.
