One name that has been gaining traction since late January is Fog, a ransomware operation that has been particularly vocal about targeting GitLab instances. Fog has claimed responsibility for attacks against approximately fifty organizations. However, a closer examination reveals a complex picture, with some claims appearing dubious. This post will dissect Fog’s recent activities, analyze the potential vulnerabilities exploited, and assess the validity of their claims.
Fog’s modus operandi: targeting GitLab
Fog‘s focus on GitLab is noteworthy. GitLab, a widely used web-based DevOps platform providing source code management (SCM) functionality with Git, continuous integration, continuous delivery (CI/CD), and more, represents a tempting target for ransomware groups. A successful compromise can lead to significant disruption, data theft, and potential supply chain implications, especially if self-managed instances are compromised and source code is exfiltrated.
In Ransomfeed dashboard these claims were marked with “[Gitlab data]” notes.
The French Association of Free Software Developers and Users for Administrations and Local Authorities (Adullact) has publicly refuted Fog’s claims of a cyberattack. In a statement, Adullact asserted that a thorough investigation, conducted with the assistance of experts, found no evidence of a successful breach. Adullact also pointed out that, even if source code were obtained, the open-source nature of their software means it is publicly available anyway.
This raises questions about the veracity of Fog’s claims. Are they exaggerating their success, or are they simply targeting vulnerable instances indiscriminately?
To investigate Fog’s claims, researchers at lemagit.fr collaborated with attack surface management (ASM) specialists Onyphe.io to analyze approximately thirty of Fog’s alleged victims. Their analysis focused on identifying potentially exploited vulnerabilities, with a particular emphasis on the CVE-2023-7028.
CVE-2023-7028 is a critical security vulnerability in GitLab that allows account takeover. This vulnerability received a CVSS score of 10.0 and affected GitLab versions 16.1 to 16.6.2, 16.7 to 16.7.1, and 16.8. Attackers could exploit this flaw to reset passwords without user interaction, potentially gaining control of accounts and repositories.
The analysis by Onyphe.io, however, did not find any affected instances among Fog’s claimed victims. This casts further doubt on the group’s claims.
The Onyphe.io investigation revealed another interesting detail: several of the claimed victims’ GitLab instances appeared to be offline for extended periods. Some instances hadn’t been seen by Onyphe’s probes since July 2024, others since October, November, or December. This suggests that Fog may be targeting outdated or abandoned instances, further undermining the credibility of their claims.
Arctic Wolf published a report in early June 2024, detailing that Fog’s ransomware is capable of being deployed on both Windows and Linux/ESXi systems. This indicates a broad targeting strategy, not exclusively focused on GitLab, but also on other machines in the network.
The ambiguity surrounding Fog’s claims highlights several important points:
- Ransomware groups may exaggerate their success: It’s not uncommon for ransomware groups to inflate their victim count or the impact of their attacks to create fear and pressure victims into paying the ransom.
- Attack surface management is crucial: The ability to identify and monitor exposed assets, like GitLab instances, is essential for preventing attacks. Regular vulnerability scanning and patching are critical.
- Not all vulnerabilities are created equal: While CVE-2023-7028 is a serious vulnerability, its impact depends on whether instances are actually vulnerable and whether attackers can successfully exploit it.
- Assume Breach: The fact that some claims may be fabricated does not mean others are. Organisations must still prepare with assuming a breach.
Fog’s claims of widespread GitLab compromises should be viewed with skepticism. While the group is undoubtedly active and possesses the capability to deploy ransomware on both Windows and Linux/ESXi systems, the evidence suggests that their GitLab-specific claims may be overstated.
However, this doesn’t diminish the importance of proactive security measures. Organizations using GitLab should prioritize vulnerability management, regularly patch their instances, implement strong access controls, and monitor for suspicious activity. Ignoring the threat, even if exaggerated, could lead to a real and costly compromise. Continuous monitoring and proactive security measures are crucial to defend against ransomware threats, regardless of the credibility of specific groups’ claims.