Data Security, Breach, Supply chain, Application security

Attack on a Red Hat GitLab instance hits 28,000 repos

(Credit: Timon – stock.adobe.com)

Red Hat on Oct. 2 confirmed that it detected unauthorized access to a GitLab instance used for internal Red Hat Consulting activities.

In its Oct. 2 blog post, Red Hat said the compromised GitLab instance housed the following sensitive consulting engagement reports (CERs): project specifications, example code snippets, internal communications about consulting services and limited forms of business contact information.

Researchers at GitGuardian said that on Oct. 1 the cybercrime group "Crimson Collective" claimed to have exfiltrated 570 gigabytes of compressed data from more than 28,000 repositories.

Data was stolen from about 800 organizations across multiple vertical sectors, including Bank of America, Citi, and JPMorgan Chase in finance; telecoms Verizon, T-Mobile and AT&T; and the National Security Agency, the U.S. Navy, NIST, and the U.S. Senate in government. Others hit were the Mayo Clinic and Kaiser Permanente in healthcare, and Boeing, 3M, and Walmart.

Nick Kucharski, chief technology officer of Oso, said while it's unclear how the attackers were able to gain access, the incident impacted multiple customers.

“This speaks volumes as to how difficult it can be to limit the damage once you do have a compromise in your system,” said Kucharski. “It looks like the investigation is ongoing, so hopefully we’ll learn more about what happened and how to contain these types of issues in the future."

Seema Ganoje, director of software engineering at Black Duck, said security teams are advised to assess any direct business relationships with Red Hat consulting, particularly regarding shared credentials or sensitive infrastructure information.

“Conduct a thorough audit of all credentials and dependencies, and immediately rotate any credentials, tokens, or SSH keys that may have been shared with GitLab through Red Hat consulting engagements,” said Ganoje.

Here are three ways teams can strengthen their security posture moving forward:

  • Reexamine integrations and prioritize short-lived credentials and application-based workflow identities over user credentials.
  • Enforce least-privilege policies and maintain comprehensive audit logging.
  • Regularly implement software bill of materials (SBOM) practices and dependency scanning.

Red Hat pointed out that the Crimson Collective incident was not related to Sept. 28 attack on Red Hat’s OpenShift AI platform.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds