Hundreds of Gitlab, Atlassian Bitbucket and Github users have had their private code repositories wiped by unknown attackers who are demanding ransom to return access to the deleted material.
Gitlab has acknowledged the attacks, saying at least 131 users with 163 repositories were compromised. Not all of the repositories had ransom notes posted to them, with some simply being wiped, suggesting the automated attack script was buggy.
Others were accessed by the attackers but not modified. A search for the Bitcoin address used in the ransom note on Github produced 391 hits for repos on Saturday, a number that went down to 348 the day after.
Victims are given ten days to pay 0.1 Bitcoin to recover the data, and to avoid leaking the code.
By and large, the attack appears to have been unsuccessful. A lookup of the Bitcoin address used by the extortionists revealed a balance of 0.00052525 or approximately A$4.30.
Gitlab said it believes no data was lost, unless the owner did not have a local copy of the repository and only had a hosted version.
The hackers appear to have relied on a common misconfiguration in which they scan for and access cloned .git repositories that are insecurely hosted on users' internet-accessible servers.
Instead of using digital keys and two-factor authentication for their accounts, users who cached credentials in the .git locally cloned repositories had their Gitlab, Github and Bitbucket accounts accessed.
The attackers are not known, but they used a network registered in Ireland, Gitlab said.
