Gitlocker Phishing Attacks
In the evolving landscape of cybersecurity threats, a new Gitlocker attack campaign has emerged, targeting GitHub repositories. This operation involves malicious actors compromising accounts, wiping repository contents, and demanding victims contact them via Telegram for further instructions. This article delves into the specifics of this campaign, its modus operandi, and recommended security measures to protect against such attacks.
Table of Contents
Attack Modus Operandi
Attackers in the Gitlocker campaign are specifically targeting GitHub repositories. Once they gain access to a repository, they proceed to wipe its contents. The attackers then rename the repository and leave a README.me file with a ransom note, instructing victims to contact them on Telegram.
Stolen Credentials
The threat actor behind this campaign, operating under the handle Gitloker on Telegram, appears to gain access to GitHub accounts using stolen credentials. Posing as a cyber incident analyst, they claim to have backed up the compromised data and offer to help restore it. The full text of the ransom note reads:
'I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup.'
Response and Recommendations
Following previous attacks, GitHub has advised users to change their passwords to secure their accounts against unauthorized access. This action is crucial to prevent malicious activities such as the addition of new SSH keys, authorization of new apps, or modification of team members.
Enhanced Security Measures
To prevent further compromises and detect suspicious activities, users are encouraged to implement the following security measures:
- Enable Two-Factor Authentication (2FA): Adding an extra layer of security to the login process.
- Add a Passkey: For a secure, passwordless login.
- Review and Revoke Unauthorized Access: Regularly check and manage SSH keys, deploy keys, and authorized integrations.
- Verify Email Addresses: Ensure all associated email addresses are correct and secure.
- Review Account Security Logs: Track repository changes to identify any unauthorized modifications.
- Manage Webhooks: Regularly audit and manage webhooks on repositories.
- Check for New Deploy Keys: Revoke any unauthorized or new deploy keys.
- Review Recent Commits and Collaborators: Ensure all recent changes and contributors are legitimate.
Historical Context of GitHub Compromises
The Gitlocker attack is not an isolated incident. GitHub accounts have previously been targeted and compromised, leading to significant data breaches.
March 2020 Microsoft Breach: Hackers compromised Microsoft's account, stealing over 500GB of files from private repositories. While the stolen data mainly consisted of code samples and test projects, there were concerns about the exposure of private API keys and passwords. The threat actor ShinyHunters eventually leaked the data for free after initially planning to sell it.
September 2020 Phishing Campaign: GitHub users were targeted in a phishing campaign involving fake CircleCI notifications. Attackers aimed to steal GitHub credentials and 2FA codes via reverse proxies. After compromising accounts, they exfiltrated data and added new user accounts to maintain persistent access.
Conclusion
The Gitlocker Phishing Attack underscores the persistent threat to online repositories and the importance of robust security practices. By implementing recommended security measures and staying vigilant, users can better protect their GitHub accounts from unauthorized access and potential data loss. As cyber threats continue to evolve, maintaining a proactive approach to security is essential for safeguarding valuable digital assets.