The Crimson Collective, an emerging extortion / hacker group, has made a bombshell claim on their Telegram channel: they have gained access to Red Hat’s GitHub and have exfiltrated data from over 28,000 internal repositories connected to the company’s consulting business.
What data was allegedly compromised?
Red Hat is the U.S.-based open-source enterprise software company known for providing Linux, cloud, container, and automation platforms for enterprises.
Its professional services arm – Red Hat Consulting – help organizations plan, deploy, and optimize open-source-based IT solutions and teach customers’ internal teams how to maintain their IT infrastructure.
Crimson Collective claims to have pilfered repositories related to Red Hat Consulting, which contain credentials, CI/CD secrets, pipeline and container registry configurations, VPN profiles, infrastructure blueprints, Ansible (automation) playbooks, OpenShift (cluster) install blueprints, and so on.
“The file tree includes thousands of repositories referencing major banks, telecoms, airlines, and public-sector organizations, such as Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Merrick Bank, Telstra, Telefonica, and even mentions the U.S. Senate…” the International Cyber Digest X account pointed out.
“Over 28000 repositories were exported, it includes all their customer’s [engagement reports] and analysis of their [infrastructure] + their other [developers’] private repositories, this one will be fun,” Crimson Collective stated, and also claimed to have already gained access to some of Red Hat Consulting customers’ infrastructure:
Screenshot of Crimson Collective’s claims on Telegram (Source: Kevin Beaumont)
The list of the allegedly stolen customer engagement reports (CERs) also includes many high-profile organizations across the globe: Bank of America, Carrefour, Lumen, Samsung, Bank of Canada, Novonordisk, PepsiCo, Intelsat, Accenture, Boeing, and others, as well as government entities like the US Department of Homeland Security.
What now?
Crimson Collective says that they tried to contact Red Hat to present their ransom demand but that they received only an automatic reply from the Red Hat Information Security Team telling them to submit a vulnerability report.
We’ve reached out to Red Hat with questions, but have yet to hear back from them. The company has told BleepingComputer that they are looking into the report of the security incident and have “initiated necessary remediation steps.”
They also said that they currently have no reason to believe that this issue had an impact on other Red Hat services or products and that they are “highly confident” in the integrity of their software supply chain.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!