Shulou(Shulou.com)06/01 Report--

Produced by the editorial department of big data Digest

After May Day, some programmers looked at the code they hosted on GitHub and found that their source code and Repo had disappeared. Last Thursday, a Reddit user wrote a post saying his repository had been hacked. The code was also deleted and replaced by a blackmail letter left by the hacker.

The hackers said in the letter that they had downloaded and stored the source code on their own servers. Victims have to pay 0.1 bitcoin, or about 3800 yuan, to a specific account within 10 days, or they will release the code or use them in other ways.

Hacker message:

"to recover the lost code and avoid disclosure: send BTC to our Bitcoin address and contact us via email admin@gitsbackup.com with your Git login information and proof of payment."

"if you are not sure whether we have your data, please contact us and we will send you a certificate. Your code has been downloaded and backed up to our server."

"if we do not receive your payment within the next 10 days, we will disclose your code or use it in other ways."

Warning posts

Https://www.reddit.com/r/git/comments/bk1eco/git_ransomware_anyone_else_been_a_victim/?ref=readnext

Although there are hundreds of victims, hackers don't make a lot of money so far. So far, hackers have only received a payment of about $2.99 for their bitcoin wallets. Instead, the address of the hacker's wallet has been reported by 34 people on the Bitcoin Abuse database.

Hundreds of victims.

Hackers hacked as many as 392 code repositories, including Microsoft, and as many as 1000 users could be attacked, according to Motherboard.

It is not clear how hackers broke into all of these accounts, and Atlassian is investigating these incidents to try to solve the problem. Not only GitHub, but other code hosting sites such as GitLab and Bitbucket have also been attacked. So hackers are likely to target repositories with poor security rather than specific vulnerabilities.

It is not clear whether anything of value was stolen from the hacker. Because many of the code repositories on GitHub are public. And some of the project codes uploaded by users are "undercooked". Therefore, the loss may not be as great as imagined.

Most of the victims use weak passwords in their GitHub,GitLab and Bitbucket accounts, or forget to delete access tokens for old applications they haven't used in months, basically both.

On Twitter, some important figures in the developer community are currently urging victims to contact GitHub,GitLab or Bitbucket's support team before paying any ransom requirements, as there may be other ways to recover deleted code.

GitLab Security Director Kathy Wang also issued a statement in response to cyber attacks:

"We have identified the affected user accounts and notified all these users. Based on our findings, we have ample evidence that the account passwords of the compromised accounts are stored in clear text in the deployment of the relevant repository."

GitLab recommends that in order to prevent passwords from being stolen by hackers, you can enable two-factor authentication to SSH the key for the account; use strong passwords and use password management tools to store passwords instead of plaintext.

Large-scale self-rescue scene

If you have the misfortune to receive a blackmail letter, do not rush to pay the ransom, the hacker is the stronghold of programmers, brothers to help you.

One victim claimed to have found that the hacker did not actually delete the code, and that as long as the victim had backup code on their machine, the file could be recovered in a relatively simple way.

Here are the remedies he gave:

Https://security.stackexchange.com/questions/209448/gitlab-account-hacked-and-repo-wiped

Input

Git reflog

You can see the hacker's comments.

Input

Git checkout origin/master

You can see your papers.

Then:

Git checkout origin/mastergit reflog # take the SHA of the last commit of yoursgit reset [SHA]

Then you can repair your origin/master.

Input

Git statusHEAD detached from origin/master

The problem has not been solved yet.

If you back up the code locally, go straight to:

Git push origin HEAD:master-force

We can solve the problem.

In order to prevent such attacks, enthusiastic netizens give suggestions in their posts.

Daniel Ruf said: this happens because .git / config contains remote URL, where people add user names, in which case password-related information should not be included. People should use SSH, deploy keys, or authenticate each pull, and do not store credentials in the configuration file.

A detailed tutorial on deploying keys:

Https://developer.github.com/v3/guides/managing-deploy-keys/

Https://gist.github.com/zhujunsan/a0becf82ade50ed06115

Https://help.github.com/en/articles/caching-your-github-password-in-git

In fact, hackers invade Github from time to time. In 2018, the maintainer of the Gentoo Linux distribution released an incident report saying that someone had hijacked one of the organization's GitHub accounts and implanted malicious code. In April, the Docker Hub database encountered unauthorized access, exposing sensitive information about about 190000 users, including some user names and hash passwords, as well as login tokens for GitHub and Bitbucket repositories. Currently, Github tokens has been revoked and build has been disabled.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.