Hello, welcome to the Monday, May 6th, 2019 edition of the Sands and the Storms, Stormcast.

My name is Johannes Ulrich, and I'm quoting from Jacksonville, Florida.

On Friday, a large number of reports surfaced stating that Git repositories were deleted and replaced with a ransom node.

And this did not just affect GitHub, which some news outlets reported, but it did affect

various Git platforms.

Also, BitBucket apparently was also affected by this particular ransom node. Now, first of all, if you are

affected by this particular ransom note, if you are seeing this note in your Git repository

that all your content is gun, it looks like very likely your content is actually still there

and available and you should be able to recover it.

The link to the register article that I'll post with the show notes has some hints on how to get your data back.

Of course, if you do have a local checked out copy of the content, then definitely you should be in pretty good shape.

The real question at this point is, how did it happen? And the most likely explanation I've

seen so far is that some of these repositories had websites that expose the dot-git directory. Make absolutely sure that dot-git is not

exposed on any of your websites. It has sometimes contained credentials for your Git repository

and definitely will include the URL of it so an attacker could use this in order to launch attacks against

your Git repository. So while this attack is scary right now, it's actually not the worst

thing that could have happened and probably a good sort of warning shot that you probably

should protect your Git repository better.

In February, I talked about how the crypto ransomware did attack various network accessible

storage devices made by D-Link.

Now, D-Link back in February did release some updates for the DNS 320 and 327 devices, but only last week released

an update for the DNS 325, which is also affected by this particular vulnerability.

...