{
	"id": "2ed1bdad-84a0-41c6-abb0-6e05ca6193ff",
	"created_at": "2026-04-06T00:17:01.309787Z",
	"updated_at": "2026-04-10T13:12:50.66816Z",
	"deleted_at": null,
	"sha1_hash": "2545d05582bb09ed337ad9ceda0cc6b10d3391a4",
	"title": "Guest Blog: Ox Security on learning from the Recent GitHub Extortion Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42666,
	"plain_text": "Guest Blog: Ox Security on learning from the Recent GitHub\r\nExtortion Campaigns\r\nBy The Gurus\r\nPublished: 2024-06-13 · Archived: 2026-04-05 14:34:31 UTC\r\nA new threat actor group known as Gitloker has launched an alarming campaign that wipes victims’ GitHub\r\nrepositories and attempts to extort them. Victims are finding their repositories erased, replaced only by a solitary\r\nREADME file bearing the message: “I hope this message finds you well. This is an urgent notice to inform you\r\nthat your data has been compromised, and we have secured a backup.” This note is followed by instructions to\r\ncontact the attackers via Telegram to negotiate the return of their data.\r\nThese attackers appear to be using the stolen GitHub credentials of users who have not enabled two-factor\r\nauthentication (2FA). Over recent months, GitHub-related security incidents have increased. GitHub, along with\r\nGitLab and other popular development platforms, have increasingly become prime targets for threat actors, given\r\nthe sensitivity of the data created and stored there. These platforms are exploited under the strategy known as\r\nLOTS (Living Off Trusted Sites), where attackers leverage the credibility of well-known sites to carry out their\r\nmalicious activities.\r\nMonitor Access Controls for Safer Dev Environments\r\nThese attacks are far from isolated events; they’re part of a broader and troubling trend. Our data shows that\r\nbetween 93-97% of OX Security users have activated two-factor authentication (2FA), which helps keep accounts,\r\ndata, and secrets private. But looking at 2FA use in isolation doesn’t tell the whole story; according to the 2024\r\nVerizon Data Breach Investigations Report (DBIR), 61% of breaches involve stolen credentials—including\r\nbreaches on GitHub/GitLab and Bitbucket. While large businesses are more likely to deploy and require\r\n2FA/MFA, data from the Cyber Readiness Institute shows that only 54% of SMBs do not implement MFA and\r\nonly 28% of SMBs require it. This missing control leaves businesses’ repositories vulnerable.\r\nWhat’s more, we know that breaches, especially those involving credentials, are increasing. The Gitlocker\r\ncampaign is just one glaring example. And it shows that, when it comes to your code and your secrets, one set of\r\ncompromised credentials could expose thousands (if not millions) of data points. One set of compromised\r\ncredentials could lead to millions of lines of lost code, productivity, and competitive advantage.\r\nThis trend highlights a critical vulnerability within the software development community: the reliance on\r\ncentralized systems that are often not sufficiently secured. These platforms are integral to developers’ daily\r\noperations, making them prime targets for cyber adversaries. To counteract such threats, organizations must adopt\r\na proactive approach to security, ensuring these essential systems are well-protected.\r\nUnderstanding the New Attack Methods\r\nhttps://www.itsecurityguru.org/2024/06/13/guest-blog-proactive-application-security-learning-from-the-recent-github-extortion-campaigns/\r\nPage 1 of 2\n\nThe methods used in these scenarios are diverse and growing more complex, encompassing tactics from simple\r\nrepository wipes to sophisticated extortion campaigns. Also, the frequency of these attacks is on the rise, which\r\nmakes management and response efforts more challenging. Adversaries are consistently employing tried-and-true\r\nmethods of social engineering to gain personal and professional information or manipulate individuals into\r\ngranting access to sensitive systems.\r\nThe industry has recently witnessed a marked increase in “man-in-the-middle” attacks, in which attackers\r\nintercept and manipulate ongoing transactions and data transfers. Further, supply chain attacks are becoming more\r\ncommon, since a single compromised component can affect entire networks of dependencies. These incidents\r\nunderscore the need for organizations to adopt a holistic and layered approach to security, emphasizing continuous\r\nmonitoring, employee training, and the adoption of cutting-edge security technologies.\r\nBacking Up Repository Data: Who’s Responsible?\r\nWhen it comes to protecting GitHub data, it is crucial to understand who is responsible for creating backup.\r\nGitHub’s built-in features may not be adequate for restoring older versions, especially during major data loss\r\nincidents. It’s advisable for organizations to implement their own backup solutions that can capture daily\r\nsnapshots of repositories and securely store them across multiple locations. This dual approach not only provides\r\nredundancy but also ensures that backups remain accessible even if the primary cloud service is compromised.\r\nThe decision between using GitHub’s backup capabilities and managing your own comes down to control,\r\ncompliance, and risk management. Organizations, particularly those dealing with sensitive or regulatory-bound\r\ndata, should consider third-party backups essential. The backup process can be automated and integrated into the\r\ndevelopment workflow, ensuring that even in the event of a breach, recovery will be swift and complete,\r\nminimizing downtime and loss while limiting cumbersome manual processes.\r\nBy understanding and implementing backup strategies, companies can protect themselves against the most\r\ncatastrophic outcomes of cyber attacks, ensuring business continuity and safeguarding their valuable intellectual\r\nproperty.\r\nMoving Forward\r\nThe reality is, GitHub-related attacks are evolving, but so are our methods to combat them. The Gitloker extortion\r\ncampaign is a poignant reminder of the vulnerabilities inherent in relying on single-factor authentications and\r\ncentralized systems. As attackers refine their strategies and broaden their targets, the potential damage from\r\ncompromised credentials and data breaches could be devastating.\r\nTo effectively combat these threats, organizations must enforce stringent security protocols, including the\r\nwidespread adoption of multi-factor authentication and regular audits of access controls. Additionally, the\r\nimplementation of comprehensive backup solutions, continuous monitoring and access reviews are paramount to\r\nensure that sensitive data remains protected across all fronts.\r\nSource: https://www.itsecurityguru.org/2024/06/13/guest-blog-proactive-application-security-learning-from-the-recent-github-extortion-campa\r\nigns/\r\nhttps://www.itsecurityguru.org/2024/06/13/guest-blog-proactive-application-security-learning-from-the-recent-github-extortion-campaigns/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.itsecurityguru.org/2024/06/13/guest-blog-proactive-application-security-learning-from-the-recent-github-extortion-campaigns/"
	],
	"report_names": [
		"guest-blog-proactive-application-security-learning-from-the-recent-github-extortion-campaigns"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "821742ae-a498-49cd-8895-742c244c2552",
			"created_at": "2024-06-19T02:00:04.371571Z",
			"updated_at": "2026-04-10T02:00:03.650796Z",
			"deleted_at": null,
			"main_name": "Gitloker",
			"aliases": [],
			"source_name": "MISPGALAXY:Gitloker",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434621,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2545d05582bb09ed337ad9ceda0cc6b10d3391a4.pdf",
		"text": "https://archive.orkl.eu/2545d05582bb09ed337ad9ceda0cc6b10d3391a4.txt",
		"img": "https://archive.orkl.eu/2545d05582bb09ed337ad9ceda0cc6b10d3391a4.jpg"
	}
}