Overview
A new threat actor known as Gitloker has emerged, making headlines with a series of high-profile attacks on GitHub repositories. Operating under the pseudonym “Gitloker” on Telegram, this group has introduced a novel form of cyber extortion, targeting developers and organizations by erasing critical repository contents and demanding ransoms for the restoration of stolen data.
The Gitloker campaign, first identified by Germán Fernández of CronUp, a Chilean cybersecurity firm, involves compromising GitHub accounts through stolen credentials. Once inside, the attackers delete repository contents, rename the affected repositories, and leave behind a README.md file containing a ransom note. This note instructs victims to contact Gitloker via Telegram for further information and to negotiate the terms of data recovery.
Common targets
Various organisations in the Information sector: Compromising and erasing Github Repositories for Ransom
Attack Vectors
Credential Stuffing
Phishing
How they operate
Gitloker’s operations begin with an initial access phase, primarily achieved through phishing attacks designed to harvest GitHub credentials. Victims are deceived into revealing their login details through deceptive communications, which Gitloker then exploits to gain unauthorized access to their GitHub accounts. Once inside, the attackers use these credentials to manipulate accounts, often adding new users with administrative privileges to maintain persistent access if necessary.
The hallmark of Gitloker’s approach is its use of data destruction as a primary impact technique. Upon breaching a repository, the threat actor deletes its contents, rendering critical data inaccessible to the victim. This data loss is compounded by the attackers’ subsequent actions, where they create a backup of the stolen data and then proceed to rename the repository. A README.me file is added to the repository, instructing victims to contact Gitloker via Telegram for recovery information. This extortion scheme leverages the loss of access to valuable data as leverage to coerce victims into paying a ransom.
To further enhance their operations, Gitloker employs various
MITRE techniques. Credential access is achieved through account manipulation, exploiting stolen credentials to facilitate unauthorized access. The exfiltration of data, though not explicitly documented, is inferred from their actions to be conducted via command and control channels before data destruction takes place. This exfiltration ensures that the attackers have a copy of the stolen data to use as leverage during the extortion phase.
In response to these attacks, GitHub has advised users to bolster their security measures. Recommendations include enabling two-factor authentication (2FA), reviewing and revoking unauthorized access, and monitoring account activity for suspicious changes. These steps are critical in mitigating the risk of such attacks and protecting against the potentially devastating consequences of data loss and extortion.
MITRE Tactics and Techniques
Initial Access
Phishing (T1566): Gitloker likely uses phishing methods to steal GitHub credentials. This technique involves sending deceptive communications to trick users into providing sensitive information.
Credential Access
Account Manipulation (T1098): Gitloker may manipulate or compromise accounts using stolen credentials to gain unauthorized access to GitHub repositories.
Impact
Data Destruction (T1485): The primary technique used by Gitloker involves deleting the contents of repositories, causing data loss for victims.
Data Encrypted for Impact (T1486): While not directly encrypting data, Gitloker’s actions result in data being inaccessible to the victim, effectively having a similar impact as encryption in terms of data availability.
Exfiltration
Exfiltration Over Command and Control Channel (T1041): Gitloker may exfiltrate data before deleting it from the repositories, potentially using a command and control channel to transfer data.
Persistence
Account Discovery (T1087): Gitloker might discover and enumerate accounts with access to the repositories to ensure they target valuable or high-profile accounts.
Command and Control
Communications Through Removable Media (T1200): Although specific to Gitloker, if they use physical methods to transfer data or instructions, this could align with using removable media for command and control.
References:
