Gentoo provided a new security update that describes the impact and root cause of its recent GitHub Linux distribution repository hacking incident.
The Gentoo GitHub Organization attributed the root cause as follows:
“The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages.”
Gentoo provided a detailed timeline of the attack that occurred on June 28th.
One of the most obvious safeguards that could have helped protect admin accounts from the password compromise was two-factor authentication (2FA).
The attack began with the attacker making password attempts to guess an administrator password. Without any 2FA, the attacker was quickly able to gain access to the admin account within the same minute.
The attacker then invited a dummy account to the organization and created a dummy admin account within six minutes after the initial admin account compromise.
Gentoo mentioned they were “lucky” from the standpoint the attackers were “loud” in how they removed valid users:
“The attack was loud; removing all developers caused everyone to get emailed. Given the credential taken, its likely a quieter attack would have provided a longer opportunity window.”
Once an administrative foothold was obtained, the attackers then proceeded to make various malicious changes to GitHub content. Several abuse reports were submitted to GitHub support, who then proceeded to respond to the incident, freeze the Gentoo GitHub Organization and lock out the suspected entry point.
GitHub also formally provided security audit logs and security recommendations (e.g., 2FA), nearly three and a half hours after the attack began. Additional remediation activities continued through the next day on the 29th.
A number of solid action items were provided to improve security going forward, such as:
Access Controls and Password Management
- Enforce 2FA to join new accounts to org.
- Enforce 2FA on all accounts that have privileged/administrative access and general users as well.
- Remove inactive users and unused access.
- Use password managers for admin passwords.
- Publish clear password policy for the organization.
- Rotate credentials for accounts (to include compromised accounts).
- Reduce number of people with GitHub owner power.
Incident response and monitoring
- Document an incident plan for communications.
- Centralized audit logs for system and privileged activity (to include compromised accounts).
- Make frequent offline backups of data (to include GitHub configuration settings).
On Tuesday July 3rd, GitHub unlocked Gentoo GitHub Organization, making the repository publicly visible once again on the same day.
The results of the investigation were posted by Gentoo (last updated as of this writing on July 5th).