Red Hat, a prominent player in the enterprise software sector, is currently facing extortion threats from a hacking group known as ShinyHunters. The group has made headlines after leaking portions of stolen Customer Engagement Reports (CERs) on a data leak platform. These reports contain sensitive information that could jeopardize the security of customers’ networks and infrastructure.
Last week, news emerged about a significant data breach confirmed by Red Hat, wherein a hacking collective named the Crimson Collective claimed to have infiltrated the company’s GitLab instance and stolen nearly 570GB of compressed data from over 28,000 internal development repositories. According to their disclosures, this data set purportedly contains around 800 CERs, potentially exposing critical business insights and private customer information.
The attackers have openly stated their intent to extort Red Hat, seeking a ransom in exchange for withholding the release of sensitive data. With no response from the company, they have taken further steps to escalate their threats. Red Hat acknowledged the breach and clarified that the compromised GitLab instance was utilized exclusively for Red Hat Consulting purposes.
In a recent development, the Crimson Collective collaborated with another group, referred to as Scattered Lapsus$ Hunters, for a joint effort in their extortion campaign against Red Hat. This partnership was announced through a post on the group’s Telegram channel, where they hinted at a broader agenda targeting corporate entities. A link was made to NATO, suggesting a desire to create a new alliance aimed at undermining corporations through data theft.
As part of their extortion strategy, a notable entry for Red Hat has now appeared on the ShinyHunters leak site, warning the company of a pending public disclosure of the stolen data unless a ransom agreement is negotiated prior to the specified deadline of October 10. The attackers have also released samples of stolen CERs, representing major clients such as Walmart, HSBC, and the American Express, heightening concerns about the potential fallout from this breach.
Experts suggest that the tactics employed by the attackers may involve initial access through vulnerabilities in the GitLab instance, leveraging techniques associated with the MITRE ATT&CK framework. The potential use of these tactics raises alarms about the security measures currently in place, prompting businesses to re-evaluate their defensive strategies against such incursions.
Speculations surrounding ShinyHunters indicate a modus operandi akin to an extortion-as-a-service model. This approach allows them to collaborate with various threat actors, taking a percentage of the extortion proceeds, similar to ransomware-as-a-service operations. Conversations with threat actors affiliated with ShinyHunters have reinforced the notion that they may serve as brokers for stolen data, further complicating the landscape of cybercrime.
With their latest activities targeting not only Red Hat but also SP Global, ShinyHunters continues to assert pressure on multiple corporations, claiming past breaches and threatening further disclosures. SP Global has publicly dismissed the allegations but faces its own challenges as the group threatens to release purportedly stolen data, underscoring the persistent risk to organizations across sectors.
In conclusion, the situation surrounding Red Hat exemplifies the pressing cybersecurity concerns facing modern enterprises. With data breaches increasingly becoming entwined with complex extortion schemes, organizations must remain vigilant and proactive in their cybersecurity measures to safeguard against the evolving threat landscape.
