Gitloker | |
Other Names | Gitlokers |
Location | Unknown |
Date of initial activity | 2024 |
Government Affiliation | No |
Motivation | Financial Gain |
Overview
Various organisations in the Information sector: Compromising and erasing Github Repositories for Ransom
Attack Vectors
Credential Stuffing
Phishing
How they operate
Gitloker’s operations begin with an initial access phase, primarily achieved through phishing attacks designed to harvest GitHub credentials. Victims are deceived into revealing their login details through deceptive communications, which Gitloker then exploits to gain unauthorized access to their GitHub accounts. Once inside, the attackers use these credentials to manipulate accounts, often adding new users with administrative privileges to maintain persistent access if necessary.
The hallmark of Gitloker’s approach is its use of data destruction as a primary impact technique. Upon breaching a repository, the threat actor deletes its contents, rendering critical data inaccessible to the victim. This data loss is compounded by the attackers’ subsequent actions, where they create a backup of the stolen data and then proceed to rename the repository. A README.me file is added to the repository, instructing victims to contact Gitloker via Telegram for recovery information. This extortion scheme leverages the loss of access to valuable data as leverage to coerce victims into paying a ransom.
To further enhance their operations, Gitloker employs various MITRE techniques. Credential access is achieved through account manipulation, exploiting stolen credentials to facilitate unauthorized access. The exfiltration of data, though not explicitly documented, is inferred from their actions to be conducted via command and control channels before data destruction takes place. This exfiltration ensures that the attackers have a copy of the stolen data to use as leverage during the extortion phase.
In response to these attacks, GitHub has advised users to bolster their security measures. Recommendations include enabling two-factor authentication (2FA), reviewing and revoking unauthorized access, and monitoring account activity for suspicious changes. These steps are critical in mitigating the risk of such attacks and protecting against the potentially devastating consequences of data loss and extortion.
MITRE Tactics and Techniques
Initial Access
Phishing (T1566): Gitloker likely uses phishing methods to steal GitHub credentials. This technique involves sending deceptive communications to trick users into providing sensitive information.
Credential Access
Account Manipulation (T1098): Gitloker may manipulate or compromise accounts using stolen credentials to gain unauthorized access to GitHub repositories.
Impact
Data Destruction (T1485): The primary technique used by Gitloker involves deleting the contents of repositories, causing data loss for victims.
Data Encrypted for Impact (T1486): While not directly encrypting data, Gitloker’s actions result in data being inaccessible to the victim, effectively having a similar impact as encryption in terms of data availability.
Exfiltration
Exfiltration Over Command and Control Channel (T1041): Gitloker may exfiltrate data before deleting it from the repositories, potentially using a command and control channel to transfer data.
Persistence
Account Discovery (T1087): Gitloker might discover and enumerate accounts with access to the repositories to ensure they target valuable or high-profile accounts.
Command and Control
Communications Through Removable Media (T1200): Although specific to Gitloker, if they use physical methods to transfer data or instructions, this could align with using removable media for command and control.
