A recent surge in cyber reconnaissance has raised alarms across thousands of organizations. GreyNoise, a global threat intelligence platform, reported an unprecedented spike in attempts to access sensitive Git configuration files. On April 20-21, the number of unique IPs targeting these files surpassed 4,800, a significant increase compared to previous periods. This marks a disturbing trend, with attackers focusing on known vulnerabilities, such as CVE-2021-23263, that expose .git directories to unauthorized access.
The CVE-2021-23263 vulnerability in certain web server configurations allows attackers to download entire Git repositories, including sensitive data.
This includes configuration files, commit history, and embedded credentials that could lead to further exploitation. GreyNoise’s data shows that 95% of the IPs involved in these attacks are malicious. These attempts are not isolated, with a global distribution, particularly in Asia, with Singapore acting as both a key source and target of these activities.
Attackers are using large cloud service providers, such as Cloudflare, Amazon, and DigitalOcean, to scale their reconnaissance efforts.
The malicious IPs detected are predominantly hosted in these platforms, allowing threat actors to amplify their scanning capabilities. This marks the fourth and most significant spike in Git configuration file crawling since September 2024, showing increasing persistence and adaptability in attack strategies. Previous surges were much smaller, with only 3,000 unique IPs involved.
Exposing Git configuration files can result in severe consequences, such as the disclosure of private repositories, insider information, and developer credentials. A similar incident in 2024 exposed 15,000 credentials and led to the cloning of 10,000 private repositories. To prevent these attacks, organizations should ensure their .git directories are not accessible via the web, monitor server logs for unusual activity, and immediately rotate any exposed credentials. Blocking malicious IPs and securing these files must be a priority for those using Git for source code management.
