Red Hat on Thursday confirmed that one of its GitLab instances was hacked after a threat actor claimed to have stolen sensitive data belonging to the company and its customers.
It was initially reported that the hackers had targeted a GitHub instance, but the enterprise software giant clarified that it was actually a GitLab instance, specifically one used by the Red Hat Consulting team.
The hackers, calling themselves Crimson Collective, claimed to have stolen 570 Gb of compressed data from 28,000 private repositories. The obtained data allegedly includes source code, credentials, secrets, and configurations, as well as customer engagement reports (CERs).
The attackers also claimed to have used the compromised information to gain access to Red Hat customers’ infrastructure.
The hackers attempted to extort Red Hat, but based on information obtained by International Cyber Digest their attempt failed and the company had a very limited interaction with the attackers.
SOCRadar reported that the data of as many as 800 Red Hat customers was obtained by the hackers, including major companies such as IBM, Siemens, Verizon, Bosch, and US government organizations such as the Energy Department, NIST, and the NSA.
In a blog post published in response to the incident, Red Hat said the compromised GitLab instance has been used for “internal Red Hat Consulting collaboration in select engagements”.
“Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities,” Red Hat said, adding, “Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.”
Red Hat has not addressed the claims about customers’ infrastructure being accessed by the hackers, but it’s not uncommon for extortion groups to make exaggerated claims in an effort to pressure victims into paying up.
The software giant confirmed that the compromised GitLab instance stored data such as example code snippets, project specifications, and internal communications pertaining to consulting services. However, the instance does not typically store any sensitive personal information and to date Red Hat has found no evidence of such data being exposed.
“At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain,” Red Hat told SecurityWeek in an emailed statement.
Industry observers have questioned whether the incident was in any way related to a recently disclosed Red Hat Openshift AI service vulnerability that allows a low-privileged attacker to escalate privileges to full cluster administrator. Red Hat has clarified that the data breach is not related to the flaw.
UPDATE: GitLab has provided the following statement to SecurityWeek:
There has been no breach of GitLab’s managed systems or infrastructure. GitLab remains secure and unaffected.
The incident refers to Red Hat’s self-managed instance of GitLab Community Edition, our free open-core offering. Customers who deploy free, self-managed instances on their own infrastructure are responsible for securing their instances, including applying security patches, configuring access controls, and maintenance.
GitLab encourages all self-managed customers to update to the latest version of GitLab and follow all security recommendations and best practices to secure their instances. Users can find security resources and guidance in our Handbook:
Related: Arch Linux Project Responding to Week-Long DDoS Attack
Related: Salesloft GitHub Account Compromised Months Before Salesforce Attack
Related: GitLab, Atlassian Patch High-Severity Vulnerabilities
