back to article Mystery Git ransomware appears to blank commits, demands Bitcoin to rescue code

Programmers say they've been hit by ransomware that seemingly wipes their Git repositories' commits and replaces them with a ransom note demanding Bitcoin. An unusual high number of developers have griped online about the effects of the software nasty, with at least two reports seen by El Reg referencing the freeware …

  1. Anonymous Coward
    Anonymous Coward

    My github account was also accessed yesterday, but saw it was accessed, kicked the connection reset passwords.

    1. This post has been deleted by its author

  2. edris90

    Those who post their source code publicly are immune to such threats.

    don't you know the quickest way to get people to break into anywhere is to put a lock on it.

    if your business model depends on secrets your business model is broken from the start

    1. GettinSadda

      No Secrets?

      Cool - then I'm sure you are willing to prove your point by posting the full details of all of your credit cards, and the username and password for every online account you use...

      Or are secrets suddenly far more important to business than you previously thought?

    2. Doctor Huh?

      "if your business model depends on secrets your business model is broken from the start"

      Tell that to Coca-Cola or Colonel Sanders...

      1. Michael Wojcik Silver badge

        Re: "if your business model depends on secrets your business model is broken from the start"

        Tell that to Coca-Cola or Colonel Sanders

        To be fair, neither of those are actually secret. William Poundstone discusses both in Big Secrets or one of its sequels.

        The Coca-Cola and KFC "secret recipes" are marketing gimmicks.

        RC4 is another famous trade secret that didn't stay secret very long.

        That said, I think the previous poster's generalization is relatively useless, like all generalizations.1

        1"We all generalize from a single example. I know I do." (Steven Brust)

    3. dajames Silver badge

      if your business model depends on secrets your business model is broken from the start

      No ... but if your business model depends on your source code being secret you should probably think twice before using a third-party repository.

  3. Netbofia
    Devil

    CMD commits

    I'm I that old fashioned? What happened to committing via command line?

    Assuming the point of failure was the git GUI.

    1. Joe W

      Re: CMD commits

      Well, and the whole system working as it is, shouldn't every working copy be the full archive (though not necessarily all branches, but at least master and what you have been working on recently)?

    2. John Miles

      Re: What happened to committing via command line?

      Since I have been using code repositories starting with Visual SourceSafe in 90s, through several others to GIT now I pretty much always use a GUI to check in my commits - I find GUIs make it much easier to review all of the changes I am committing

      1. richardcox13

        Re: What happened to committing via command line?

        > I find GUIs make it much easier to review all of the changes I am committing

        Diffs are definitely easier with GUI tools.

        However for everything else cli is more powerful. Knowing the git cli means there is a lot more help available when you need to do something that is a little unusual.

        1. John Miles

          Re: What happened to committing via command line?

          Depends on how good the GUI is - not all of them are equal.

          I can drop to the command line if I need to, but as 99% of the time I don't need the extra cli provides as workflows are quite simple I just stay in preferred GUI as it works well for me.

          We are only using GIT because project team wanted it on their CV and never used any of the power of GIT (one conversation went they hadn't check in code yet as waiting for testing to finish )

        2. Anonymous Coward
          Anonymous Coward

          Re: What happened to committing via command line?

          Depends on how you define easier. Easier to me is path of least resistance. Using a terminal, I can diff files extremely quickly and with the precise logic I need meaning I don't have to scroll through endless diffs I don't care about.

          It's more complicated, sure, but is it harder? After practice, no.

          http://man7.org/linux/man-pages/man1/diff.1.html

          1. John Miles

            Re: What happened to committing via command line?

            Why are you checking in endless diffs you don't care about? That to me seems like a problem to me

          2. phuzz Silver badge

            Re: What happened to committing via command line?

            A CLI is great when you know ahead of time what information you want to be displayed (and any bulk, or repetitive tasks).

            A GUI is better for more investigative tasks (ie problem solving) where you don't know that you need something until you look at it.

            The both have their place, and which you use most is more down to what your job involves.

        3. macjules Silver badge

          Re: What happened to committing via command line?

          Example of why not to use GUI: "Push merge immediately to Master" checkbox. Also when committing a large number of, for example, vendor files don't you just want to do $git add vendor/* instead of clicking all the down the list and then realising that you accidentally added something else as well?

        4. Michael Wojcik Silver badge

          Re: What happened to committing via command line?

          Diffs are definitely easier with GUI tools.

          For some, perhaps. Personally, I loathe GUI diff viewers.

          Of course, whenever someone declares one way of working is "definitely" easier, or better, or more efficient, it's likely you won't have to go far to find a counterexample. Rhetorically, "definitely" is an adverb meaning "I can't be bothered to give this much thought".

    3. Anonymous Coward
      Anonymous Coward

      Re: CMD commits

      No, you're not old fashioned. I notice more people use GUI repo managers on Windows. Especially old school Devs used to using the likes of Tortoise SVN etc.

      It's actually more of a throwback to use a GUI than it is to manage repos with the CLI.

      1. John Miles

        Re: CMD commits

        probably because most of us "old school" grew up with CLI and found GUIs hugely more productive when they became available

        1. Pseudonymous Clown Art

          Re: CMD commits

          How is it more productive than the CLI? Or better yet an IDE with GIT integration? I'm not extremely old school, but I'm not exactly new to dev either (20 years).

          Introducing an additional tool seems wasteful and slow to me.

          E.g. if I wanted to commit a change and push it to staging for testing I can do that with two or three quick commands from a single window on the CLI from the desktop session I'm already in.

          With a GUI I have to faff around connecting to the remote box, firing up my GUI of choice, drilling down the branches etc and then pull the changes in.

  4. gnasher729 Silver badge

    I have a github account with code in it that is of value to me - but the same repository is also on three Macs at my home, and on several Time Machine backups. So destroying my github account would be a bit inconvenient, but no data loss.

    1. d3vy

      Yeah but they didnt threaten to destroy it, they threatened to leak it.

      Might not be an issue for you, but will definitely be an issue for others.

    2. Bakerman

      Yep, git may be a very popular version control system but being distributed, combined with the tendency for programmers to be protective of their work and thus keep backups, it doesn't seem like the optimal target.

      1. Michael Wojcik Silver badge

        it doesn't seem like the optimal target

        An attack like this probably costs them very little and has great economies of scale, so it doesn't matter if the return rate is low. It's nearly all profit.

        1. EnviableOne Bronze badge

          RE: nearly all profit

          Depends on if people pay up, ATOP only 1 payment

          https://www.blockchain.com/btc/address/1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA

  5. Marco Fontani

    Looks like Gitlab's also experiencing similar issues: https://about.gitlab.com/2019/05/03/suspicious-git-activity-security-update/

  6. Hans 1 Silver badge
    Facepalm

    Attacker attempts to incovenicence Distributed Version Control System users

    Ok, I understand that few here know how git works ....

    anybody who clones a git repo has all the commits ever pushed to the repo at the time he last cloned, fetched, pulled. These braindead are like, hey, lets delete something on the git server, and then ask for money, hehehehe ... where every single dev on the project has all the data, almost ... the guy who fetch/pull'd last and the guy who pushed the last commit have all the data, combined.

    1. Jamie Jones Silver badge
      FAIL

      Re: Attacker attempts to incovenicence Distributed Version Control System users

      I'd wager that many here know how git works, but it appears some don't know how English works :-)

      The threat was not that you'd lose your code, but that they'll make it public. RTFA!

      1. Hans 1 Silver badge
        WTF?

        Re: Attacker attempts to incovenicence Distributed Version Control System users

        I have read the article:

        The netizen added that the ransom note they received referenced gitsbackup[dot]com, and demanded about $560 in crypto-currency to un-fsck the repo.

        They have apparently attacked [FL]OSS repos as well.

        As for publishing the code, I guess the attackers are a bit thick, who do you think would trust them ? They could just as well come back every month and demand payment.... do not reward scum or you will attract more ...

        https://security.stackexchange.com/questions/209448/gitlab-account-hacked-and-repo-wiped

        See first update.

  7. rmstock

    The Microsoft curse

    This has been said many times in the past, but a lot of strategic purchases by Bill Gates and Microsoft somehow turned into dust and ashes.

    1. steviebuk Silver badge

      Re: The Microsoft curse

      You know Bill Gates hasn't worked at MS for years. He's also not a majority share holder so wouldn't be able to decide what it does and doesn't purchase.

    2. msage

      Re: The Microsoft curse

      Literally only one company in the entire article is owned by Microsoft :/

  8. Will Godfrey Silver badge
    Thumb Up

    Fine for some

    Actually I'd be delighted if they spread our little FOSS project far and wide. The more exposure the better. We might even get some more experienced devs helping out.

    1. whitepines Silver badge
      Big Brother

      Re: Fine for some

      The more exposure the better

      Was that with or without the rewritten commit inserting a nasty banking trojan into your project, with you listed as author?

      In all seriousness, the largest threat I see here is lost chain of trust / integrity. The codebase would need a thorough external audit after being "recovered" by paying the hackers, and I guarantee next to no one would pay for that, especially not the small time commercial developers likely to be hit by this with no offline backups in the first place.

      And if malware injection were to happen this way in a commercial application, would the bar be high enough to legally convict the developers on some form of negligence when downstream customer computers are infected? Especially if the code wasn't recovered from backups and compared or an external auditor paid with paper trail?

      1. Will Godfrey Silver badge

        Re: Fine for some

        I wouldn't be paying - just resetting and uploading a clean copy.There are 4 of us that keep full repositories and we all work entirely via the CLI. We also keep more than one remote on different hosts.

        None of us do any auto updates either - all done manually, barely any slower and much safer.

        1. whitepines Silver badge

          Re: Fine for some

          Sounds like you do things the right way. The fly by night closed "app people" that I wonder about here I'm almost certain wouldn't be using that level of redundancy, let alone cross checks, and wouldn't know how to reset the HEAD ref in the first place...

  9. Ben Tasker Silver badge

    What this means to me is that the attacker doesn't have the code and there's no threat of them going over the source code for sensitive data or of making the code public.

    His conclusion doesn't actually follow on.

    The fact they've simply munged head means he hasn't lost data (despite their attempt to make it look otherwise).

    But, that has no bearing on whether they have or haven't walked off with a copy of the codebase. Assuming it was the client they compromised, it'd be fairly trivial for them to have a push actually

    - push to their servers, with those servers dynamically creating a reponto house it in

    - munge head

    - Do a force fast-forward push to the original origin to push the munged head

    - Remove references to their server

    I'm not saying that has happened. But nothing mentioned in the article is evidence enough to conclude they don't have the code

    It is more likely though that those affected have had their credentials to the various hosting services leaked.

  10. Anonymous Coward
    Anonymous Coward

    Linked-In leakage?

    Could it be the case that someone has cracked some of the hashed passwords on the Linked-In leak and found themselves enough working GitHub credentials to make it worth their while?

    I have recently had many, many emails about my degenerate porn habits with faked headers set to look like the mail came from my email account as proof of the successful hack. Those spam mails were citing an actual password, which was indeed the mail+password I used for linked-in and other on-line trash accounts "back then".

    1. Anonymous Coward
      Anonymous Coward

      Re: Linked-In leakage?

      The LinkedIn breach was very productive for the criminal hacker community, but it was just one of many credential pools posted on Pastebin and other public platforms. We can also thank serial privacy violators/privateers like Equifax for their "contributions" to the resources now available to these new startups. Commercial software vendors, as usual, are all form and little function when it comes to countermeasures, because they feel safe in their assumption customers have no where else to go. Of course the greatest praise should be reserved for the leading national intelligence services whose seed money in the form of outsource contracts and leaked toolkits, not to mention inaction in the midst of attacks on the citizenry they're supposed to protect, has made life so much easier for these operators.

  11. thosrtanner
    Unhappy

    It appears from one of the linked threads was that those repos hacked had put their code in a cloud service with their auth keys in their clone's .git/config

    So no security leak at github/gitlab/other affected service. Security leak at author's chair.

    1. Michael Wojcik Silver badge

      One recent study found on average nearly 1800 unique private keys leaked per day on github. I hate to employ the word "epidemic", which has lost all force as a metaphor thanks to misuse, but leaving sensitive data in public repositories is a widespread and serious problem.

  12. Anonymous Coward
    Anonymous Coward

    What do you expect??

    What has happened was guaranteed once M$ bought Github.

    Any bets it will turn out to be something M$ has done that has created a vulnerability??

    1. Tsurotu

      Re: What do you expect??

      You might be spaffing your money away, it is now sounding like people pushing their keys to their webserver, by using git as a deploy tool and exposing their creds.

      So no Microsoft bungling here. Just general bungling.

      And "M$", is it 2005?

  13. m0th3r

    The email / domain used for this is now suspended

    /// Why this was not done before, I have no idea ///

    Hello,

    This is to inform you that the gitsbackup[.]com domain was suspended. It has been placed on the clientHold status and locked to prevent modifications in our system.

    Thank you for letting us know about the issue.

    ------------------------

    Regards,

    Alex B.

    Legal & Abuse Department

    Namecheap Team

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019