Governance & Risk Management , Incident & Breach Response , IT Risk Management
Canonical Investigating Hack of Its GitHub Page
Company Says Ubuntu Linux Source Code Remains SafeCanonical Ltd., a British company that offers commercial support and services for the popular Ubuntu Linux open source operating system, is investigating the hacking of its GitHub page over the weekend. The incident did not affect the source code for the system, according to a company statement posted on Reddit.
See Also: Gartner Market Guide for DFIR Retainer Services
On Saturday, Canonical's security team spotted an anomaly on the company's GitHub page, with someone attempting to create new accounts and repositories. The user account that started the incident was removed, and the company is investigating the extent of the breach, according to a statement released Sunday.
While there are projects and code related to Canonical on the GitHub page, it's disconnected from the actual Ubuntu Linux source code. The initial investigation determined that no users’ personally identifiable information was compromised, according to the company's statement.
"The launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected," according to the statement posted on Reddit. "We plan to post a public update after our investigation, audit and remediations are finished."
Mysterious Origins
It remains unclear who compromised the GitHub site and what they were attempting to accomplish.
Troy Mursch, an independent security researcher with Bad Packets Report, posted a screengrab of the GitHub site before the Canonical security team removed the user account that started the incident.
Archived page here: https://t.co/13oRkonhPq
— Bad Packets Report (@bad_packets) July 7, 2019
Blogger Brian Krebs was also one of the first to take notice of the Canonical breach shortly after it was discovered by other researchers on Saturday.
This doesn't look good. https://t.co/sR0aVbM6tv
— briankrebs (@briankrebs) July 6, 2019
The screengrabs captured by Mursch show 11 suspect accounts opened around the same time on the Canonical GitHub page and using the same handle - "CAN_GOT_HAXXD" - followed by a number. In another Twitter message, Mursch noted that on Thursday, he had come across internet scans looking for exposed GitHub configuration files.
In a follow-up post, Mursch added that it's not clear if the hack of the Canonical GitHub site and the increase scanning activity are related.
Previous Attacks
In recent years years, Canonical has sustained several data breaches that exposed the personal i7nformation and data of some its users.
The most recent incident involving a Canonical website occurred in July 2016, when the company sent a notification to users that it's forums database had been compromised. While the attackers weren't able to access plain-text password data, other details, such as email addresses, IP addresses and usernames, were exposed, Wired reported.
At about the same time as that incident, hackers launched an even bigger attack against Linux Mint, another popular open source operating system, according to several published reports.
In that case, the attackers went beyond targeting forums and associated sites and zeroed in on the source code. Some users downloaded a backdoor that would open the way for malware to be planted on a PC, according to news reports.