Breach cyber

Red Hat

Jun 16, 2020 3 min read
Red Hat

Red Hat is investigating a security breach involving a self-managed **GitLab Community Edition** instance used exclusively by **Red Hat Consulting**. The attack, claimed by the hacker group **Crimson Collective**, resulted in the theft of **~570 GB of data** from **28,000 internal projects**, including **800 Customer Engagement Reports (CERs)**. These CERs contained sensitive details such as **infrastructure configurations, authentication keys, and database URIs**, which the attackers allegedly used to access downstream customer systems (e.g., **Bank of America, T-Mobile, AT&T, Fidelity, Walmart**). The breach occurred **~two weeks before detection (late September 2024)**, with attackers publishing **directory listings of stolen repositories and CERs (2020–2025)** on Telegram. Red Hat isolated the compromised instance, revoked attacker access, and reported the incident to authorities. While Red Hat asserts no impact on its **software supply chain** or other services, the attackers claim to have **extorted the company** but received only generic vulnerability reporting instructions. The group also vandalized **Nintendo’s topic page** around the same time, suggesting broader malicious activity.

Source: https://www.techzine.eu/news/security/135120/what-we-know-so-far-about-red-hats-gitlab-instance-breach/

TPRM report: https://www.rankiteo.com/company/red-hat

"id": "red3233032100325",
"linkid": "red-hat",
"type": "Breach",
"date": "6/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': ['Bank of America',
                                               'T-Mobile',
                                               'AT&T',
                                               'Fidelity',
                                               'Walmart',
                                               'Other Organizations in CERs '
                                               '(2020–2025)'],
                        'industry': 'Software/Open-Source Solutions',
                        'location': 'Global (HQ: Raleigh, North Carolina, USA)',
                        'name': 'Red Hat (IBM Subsidiary)',
                        'size': 'Large Enterprise',
                        'type': 'Technology Company'},
                       {'location': 'Global',
                        'name': 'Customers Listed in CERs',
                        'type': ['Financial Services',
                                 'Telecommunications',
                                 'Retail',
                                 'Technology']}],
 'attack_vector': ['Compromised Self-Managed GitLab Instance',
                   'Exploited Authentication Keys/Database URIs in Code/CERs'],
 'customer_advisories': ['Potential Risk to Customer Infrastructure via '
                         'Exposed Keys/URIs in CERs'],
 'data_breach': {'data_exfiltration': True,
                 'file_types_exposed': ['Repository Code',
                                        'PDF/Document Files (CERs)',
                                        'Configuration Files'],
                 'number_of_records_exposed': ['28,000 Internal Projects',
                                               '800 CERs'],
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (Includes PII, Credentials, and '
                                        'Customer Infrastructure Details)',
                 'type_of_data_compromised': ['Source Code',
                                              'Customer Engagement Reports '
                                              '(CERs)',
                                              'Authentication Keys',
                                              'Database URIs',
                                              'Infrastructure Configurations']},
 'date_detected': '2023-10-02T17:30:00 CEST (approximate, based on correction '
                  'issuance)',
 'date_publicly_disclosed': '2023-10-03',
 'description': 'Red Hat is investigating a security incident involving a '
                'self-managed GitLab Community Edition instance used solely '
                'for Red Hat Consulting. Hackers calling themselves Crimson '
                'Collective claim to have stolen data from 28,000 internal Red '
                'Hat projects (570 GB) and 800 Customer Engagement Reports '
                '(CERs), which may contain sensitive customer information such '
                'as infrastructure details, authentication keys, and '
                'configuration data. The breach reportedly occurred about two '
                'weeks prior to public disclosure on October 3, 2023. Red Hat '
                'acted immediately to isolate the instance and report the '
                'incident to authorities. The investigation remains ongoing.',
 'impact': {'brand_reputation_impact': ['Potential Erosion of Trust '
                                        '(High-Profile Customers Affected)',
                                        'Media Coverage of Breach'],
            'data_compromised': ['Internal Project Data (28,000 projects, ~570 '
                                 'GB)',
                                 'Customer Engagement Reports (800 CERs, '
                                 '2020–2025)',
                                 'Authentication Keys',
                                 'Database URIs',
                                 'Infrastructure Details',
                                 'Configuration Data'],
            'identity_theft_risk': ['High (PII/Authentication Keys in CERs)'],
            'operational_impact': ['Isolation of Affected GitLab Instance',
                                   'Ongoing Investigation',
                                   'Potential Customer Infrastructure Risks'],
            'systems_affected': ['Self-Managed GitLab Community Edition '
                                 'Instance (Red Hat Consulting)']},
 'initial_access_broker': {'entry_point': 'Self-Managed GitLab Community '
                                          'Edition Instance',
                           'high_value_targets': ['Customer Engagement Reports '
                                                  '(CERs)',
                                                  'Authentication Keys',
                                                  'Database URIs'],
                           'reconnaissance_period': 'Approximately 2 Weeks '
                                                    '(Prior to Detection)'},
 'investigation_status': 'Ongoing',
 'motivation': ['Data Theft',
                'Extortion',
                'Potential Downstream Attacks on Customers'],
 'ransomware': {'data_exfiltration': True,
                'ransom_demanded': ['Extortion Attempt (No Specific Amount '
                                    'Disclosed)']},
 'recommendations': ['Update Self-Managed GitLab Instances to Latest Version '
                     '(GitLab Advisory)',
                     'Apply Security Patches Promptly',
                     'Harden Access Controls (GitLab Handbook Guidelines)',
                     'Avoid Storing Credentials/Keys in Repositories',
                     'Monitor for Downstream Attacks Leveraging Stolen Data'],
 'references': [{'date_accessed': '2023-10-03', 'source': 'Red Hat Blog Post'},
                {'date_accessed': '2023-10-03', 'source': 'BleepingComputer'},
                {'date_accessed': '2023-10-03',
                 'source': 'GitLab Security Handbook',
                 'url': 'https://about.gitlab.com/security/hardening/'},
                {'date_accessed': '2023-10-03',
                 'source': 'Telegram (Crimson Collective Leaks)'}],
 'regulatory_compliance': {'regulatory_notifications': ['Authorities Notified '
                                                        '(Specific Agencies '
                                                        'Not Named)']},
 'response': {'communication_strategy': ['Public Blog Post (2023-10-03)',
                                         'Correction Statement (2023-10-02)',
                                         'No Further Comments During '
                                         'Investigation'],
              'containment_measures': ['Immediate Isolation of GitLab Instance',
                                       'Termination of Attacker Access'],
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True},
 'stakeholder_advisories': ['No Evidence Other Red Hat Services/Products '
                            'Affected',
                            'Confidence in Software Supply Chain Integrity'],
 'threat_actor': 'Crimson Collective',
 'title': 'Red Hat Security Incident Involving Self-Managed GitLab Instance',
 'type': ['Data Breach', 'Unauthorized Access', 'Extortion Attempt'],
 'vulnerability_exploited': ['Unpatched Self-Managed GitLab Community Edition',
                             'Misconfigured Access Controls',
                             'Exposed Credentials in Repositories']}
Published by
Jeremy C
Jeremy C
You might also like
Breach cyber

Gainsight

public 2 min read
Gainsight experienced a security breach involving its Salesforce-connected app, where suspicious activity was detected. While the company’s CEO, Chuck…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success platform, suffered a breach linked to its Salesforce-connected app, initially flagged by Salesforce due to unusual…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success management software firm, experienced a breach in its systems that compromised Salesforce customer tokens. The incident…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.