Emergency Notice – Red Hat confirms customer data exposure after cyberattack on GitLab instance
On October 2nd of this year, Red Hat confirmed a security breach in a GitLab Community Edition instance used by the Red Hat Consulting team. According to reports from the news portal Bleeping Computer, the group Crimson Collective claimed to have breached the infrastructure in mid-September and exfiltrated approximately 570 GB of compressed data from over 28,000 private repositories.
The attack began in mid-September, when the attackers gained unauthorized access to the instance. On September 24th, the Crimson Collective created a Telegram channel to publicize their operations. On October 1st, the threat actors published evidence of the breach of the Red Hat environment, sharing lists of the repositories that were accessed inappropriately.
The exfiltrated data comprised 570 GB of compressed data, which included Customer Engagement Reports (CERs) dating back five years. These files contain data on configurations, network architectures, authentication tokens, and other information that could be used to breach the company’s customers’ networks. Additionally, there are also files containing data on VPN configurations, server inventories, and more.
According to the investigation, more than 800 customers may have been affected by the breach. Among the organizations whose confidential documents appear in the lists released by the criminal group are companies such as IBM, Walmart, Siemens, Adobe, Santander, Telefonica, and T-Mobile, as well as government agencies such as the NIST and the NSA.
The Crimson Collective claims to have attempted to contact Red Hat through official channels to file extortion demands, but received a generic automated response directing them to the standard vulnerability reporting process.
Red Hat, for its part, emphasized that it is treating the incident with the highest priority, having initiated an investigation, removed the unauthorized access, isolated the environments, and contacted authorities. The organization reported that it has already implemented hardening measures designed to prevent further access.
In an official statement, Red Hat reported that the incident may have affected only Consulting customers, who will be notified directly by the company if impacted. The company stated that, at this time, it has no reason “to believe that this security issue affects any of its other services or products, including the software supply chain or the download of Red Hat software from official channels.”
GitLab clarified that its managed infrastructure was not affected, emphasizing that the incident involved a self-managed Community Edition instance, the security of which is the responsibility of the customer itself – in this case, Red Hat.
Given this scenario, SEK recommends some actions for organizations that have a relationship with Red Hat Consulting:
- Contact Red Hat by opening a support ticket to determine if their information was exposed.
- Rotate all access tokens, API keys, database credentials, and shared secrets with Red Hat.
- Apply recent patches to GitLab CE instances.
- Review access logs for anomalous activity.
- Strengthen access management policies and implement strict segmentation of critical systems to limit lateral movement.
- Implement platform monitoring to detect data exfiltration and unauthorized access.
- Train employees to recognize phishing attempts, as data breaches can increase such attacks.
SEK remains available to support its clients in implementing the recommended measures. We undertake to update this statement if new information becomes available.
