8f67d37c git bitcoin ransom

Git ransomware: beware the misdirection


Recently there has been a somewhat clumsy git-related ransomware making the rounds. In a nutshell, people have used single-factor passwords, or committed their passwords to other repos, or committed tokens in the clear, all of which has allowed some miscreant to come in and change their repo, asking for ransom. At this moment I see 326 hacked repos on Github.

What does this have to do with me you ask? Its sad those people might have to pay, or might not have a backup or something. But, I mean, its not me, right?

Let’s talk about misdirection. If I got the permission to change files in your repo, I might do it in a way you didn’t detect. Instead of delete all files and replace with a ‘send me your bitcoins ransom’, I might have instead made some ‘improvements’ to your files. Some backdoors maybe. And, since all software builds on other software, your downstream users would import this none the wiser. After all, it passes the unit tests, its from a trusted upstream, no warnings were around?

So, is this an iceberg-style problem? For every attack that we see there are 10 we don’t? Is this maybe just a clever misdirection, something to focus the media attention elsewhere? 326 repo were attacked for ransom, and 3260 were silently modified for greater profit?

Will you be the person that imports this code into your software, and runs it with full privilege in your cloud environment? Will it backhaul a lot of information back home from you? Or will you have an egress API gateway to prevent that?

Defence in depth. Layers. Cloud security. You need it. The media might not be right about the risk.