Linux distribution Gentoo has had its GitHub mirror broken into and taken over, with GitHub pages changed and ebuilds replaced.
In an alert, Gentoo said the attacker gained control of the GitHub Gentoo organization at June 28, 20:20
“All Gentoo code hosted on github should for the moment be considered compromised,” the alert said.
Gentoo said its own infrastructure was considered safe, and users should be OK if they rsync or webrsync from Gentoo.org.
Quick action from Gentoo and Github put an end to the attack in about 70 minutes, but not before the attacker was able to modify repository and page content.
A post on the Gentoo-dev list Gentoo developer Francisco Blas Izquierdo Riera wrote.
I just want to notify that an attacker has taken control of the Gentoo organization in Github and has among other things replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files.
“Whilst the malicious code shouldn’t work as is and GitHub has now removed the organisation, please don’t use any ebuild from the GitHub mirror obtained before 28/06/2018, 18:00 GMT until new warning,”
But Now Gentoo has find out the cause and impact of an attack that saw the Linux distribution locked out of its GitHub organization.
Gentoo released its incident report –
the incident report said.
An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content.
The attack took place on June 28, and saw Gentoo unable to use GitHub for approximately five days.Due to a lack of two-factor authentication, once the attacker guessed an admin’s password, the organization was in trouble.
Gentoo now has a requirement for two-factor authentication to join its GitHub organization.
Once the attacker gained access, Gentoo said it was lucky that the attack was loud and removing all other developers caused them to be emailed, and that a quieter attacker could have lurked for longer. The report added that by force pushing commits that attempted to remove all files, the attacker made “downstream consumption more conspicuous”.
The report said Gentoo maintains its own infrastructure, and only uses GitHub to be closer to contributors.
“We do not believe the private keys of the account impacted were at risk, and so the Gentoo-hosted infrastructure was not impacted by this incident,” .
Now the Gentoo gained access to its GitHub and everything is fine ,But this incident show us if you not set the strong password with 2step verification what can be happens 2step verification is the need of today’s tech world anything can be hacked so be prepared .