Red Hat breach escalates as criminals collaborate on 'multi-TB' extortion plot

2 hours ago 2

Red Hat's breach nightmare just got worse, as the Crimson Collective crew that claims to have ransacked its GitLab repos has joined forces with the ShinyHunters-linked "Scattered Lapsus$ Hunters" gang to turn the screw with a full-blown extortion campaign.

hot air balloon decrease ressure

Stargate is nowhere near big enough to make OpenAI's tie-ups with AMD and Nvidia work

READ MORE

The trouble began last week when a criminal group calling itself the Crimson Collective claimed it had copied around 570 GB of compressed data from a GitLab environment used by Red Hat's consulting arm, allegedly including some 28,000 internal repositories and hundreds of Customer Engagement Reports (CERs) that contain detailed infrastructure diagrams, configuration files, and, in places, secrets such as access tokens. 

In messages seen by The Register, the group also said it found authentication tokens inside repos and reports, which it claimed to have already used to compromise downstream Red Hat customers. 

Red Hat last week confirmed to The Reg that the breach was related to a GitLab instance and said it had isolated the affected environment and launched an investigation. The attack did not target GitLab's own infrastructure, spokesperson Emily James stressed to El Reg, saying: "The incident refers to Red Hat's self-managed instance of GitLab Community Edition... Customers who deploy free, self-managed instances on their own infrastructure are responsible for securing their instances, including applying security patches, configuring access controls, and maintenance."

What initially looked like a standard extortion play escalated this week after the Crimson Collective crew announced it had joined forces with a Scattered Lapsus$/ShinyHunters syndicate to extort the IBM-owned open source giant.

"On the 4th April 1949 was created the so ... called NATO, but what if today's new alliance was bigger than that? But for a greater purpose, ruining corporations mind [sic]," the group said in Telegram messages seen by The Register. "What if Crimson's shininess extends even further away?"

A post on the newly launched Scattered Lapsus$ Hunters leak site, seen by The Register, threatens to publish a "multi terabyte of data haul of your most sensitive intellectual property" and accuses Red Hat of failing to safeguard what it claims are trade secrets and personal data, invoking GDPR and US state privacy laws. It also reckons Red Hat's doors were kicked in on September 13 – weeks before the company came clean about the break-in.

The crew claims more than 5,000 directories contain CONFIDENTIALITY.md files, and warns that the data implicates major private and public sector organizations.

The leak site sets a deadline, demanding that Red Hat contacts the extortionists by October 10 to "resolve this," and promising that, if it is paid, it will refrain from attacking Red Hat's customers directly. As always, the word of a criminal cannot be trusted.

Red Hat has not responded to The Reg's questions, but has tried to reassure customers by saying the incident affected "a specific GitLab environment used by Red Hat Consulting collaboration in select engagements." It also added that it has not seen evidence that the company's product build systems or hosted services were impacted. But the nature of CERs – often containing configuration details, authentication tokens, and remediation notes – means downstream risk to clients can be significant if those artifacts are genuine.

"These CERs clearly contain and include confidential business/company data (credentials, env vars, architecture, code, internal designs, things that would grant an unauthorised party access to your network), and Red Hat failed to adequately protect them, you failed to preserve the secrecy of these trade secrets, as it was your utmost responsibility," Scattered Lapsus$ Hunters writes on its leak site, where it has also shared samples of what it claims is the stolen data.

Whether Red Hat will negotiate, pay, or fight an extended public leak remains to be seen, but the public-facing partnership between Crimson Collective and the ShinyHunters affiliate shows extortion gangs are becoming more collaborative and, arguably, more dangerous. ®

Read Entire Article