Telegram-Linked Gitloker Attacks Leave GitHub Repositories Compromised
Hackers Target GitHub Repositories, Demand Ransom via Telegram
In a new wave of cyberattacks, malicious actors are targeting GitHub repositories, wiping their contents, and demanding that victims reach out via Telegram for more information. The campaign was first identified on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity firm CronUp.
The attacker, operating under the handle “Gitloker” on Telegram and posing as a cyber incident analyst, is believed to be using stolen credentials to compromise GitHub accounts. Following the compromise, the attacker claims to have stolen the victims’ data and purportedly offers a backup to restore the deleted content. They rename the repository and place a README.me file, instructing the victims to contact them on Telegram.
The ransom note reads, “I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup.”
When contacted by BleepingComputer for more details on the extortion campaign, GitHub had no immediate comment.
Dozens of GitHub repos already impacted (BleepingComputer)
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
In light of previous attacks, GitHub has recommended users change their passwords to enhance account security against unauthorized access. This step is essential to prevent malicious actions, such as adding new SSH keys, authorizing new apps, or modifying team members.
To further safeguard GitHub accounts and detect suspicious activity, users should:
- Enable two-factor authentication.
- Add a passkey for secure, passwordless login.
- Review and revoke unauthorized access to SSH keys, deploy keys, and authorized integrations.
- Verify all email addresses associated with the account.
- Review account security logs to monitor repository changes.
- Manage webhooks on repositories.
- Check for and revoke any new deploy keys.
- Regularly review recent commits and collaborators for each repository.
This is not the first instance of GitHub accounts being compromised for data theft. In March 2020, hackers breached Microsoft’s GitHub account, stealing over 500GB of files from private repositories. While most of the stolen data consisted of code samples and test projects, there was concern that private API keys or passwords might have been exposed.
Trending: Offensive Security Tool: Genzai
A threat actor known as ShinyHunters later leaked the stolen data on a hacker forum for free after initially planning to sell it to the highest bidder.
In September 2020, GitHub warned of a phishing campaign that targeted users to compromise their accounts using fake CircleCI notifications. These attacks aimed to steal GitHub credentials and two-factor authentication codes, relaying them through reverse proxies. After gaining access, the attackers swiftly exfiltrated data from private repositories and added new user accounts to maintain persistence in the compromised organizations.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
