What is the issue?
Attackers have targeted GitHub, GitLab, and Bitbucket users by replacing the code and commits from the victims’ Git repositories and leaving a ransom note that demands a ransom payment of 0.1 Bitcoin (~$570).
Why it matters?
The ransom note threatens victims to make the code public if they do not pay the ransom amount within 10 days.
“To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at email@example.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we don't receive your payment in the next 10 Days, we will make your code public or use them otherwise,” the ransom note read.
How many repositories targeted?
What is the response so far?
Kathy Wang, Director of Security at GitLab, said that they conducted an investigation and found out that compromised accounts have passwords being stored in plaintext on the deployment of a related repository. Wang also said that they have identified the affected user accounts and are notifying them.
“We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible, both of which would have prevented this issue,” Wang said.
Meanwhile, in a security advisory, Bitbucket noted that “a third party accessed your repository by using the correct username and password for one of the users with permission to access your repository.”
Bitbucket has taken the following steps to prevent further malicious activity: