Git configuration files targeted by attackers – Incidents are on the rise
The crawling of Git configuration files represents a potential security risk. Greynoise is registering more and more such incidents.
(Image: antb/Shutterstock.com)
- Manuel Masiero
The IT security company Greynoise observed a significant increase in crawling activity for Git configuration files in April of this year. On April 20 and 21, the company registered around 4800 unique IP addresses every day from which scans originated. This incident is the largest of four observed since September 2024. In each case, the crawling activities originated from at least 3000 unique IP addresses.
To detect the suspicious activity, Greynoise uses its Git Config Crawler tool, which identifies IP addresses crawling the internet for sensitive Git configuration files. Although the IP addresses involved in April are distributed globally, most of them came from Singapore: 8265 unique IPs at the same time.
(Image:Â Greynoise)
The second and third most affected countries were the USA (5143 IPs) and Germany (4138 IPs). They were followed by the UK in 4th place with 3417 IP addresses and India in 5th place with 3373 IP addresses. All of the affected IPs belong to cloud infrastructure providers such as Amazon, Cloudflare and DigitalOcean.
Videos by heise
Crawling hotspot Singapore
Singapore remained in first place for both the number of source and destination IP addresses, even over a longer analysis period of ninety days. According to the IT security company, none of the registered IPs were spoofed, which indicates that the scan traffic actually originated from these addresses. In addition, 95 percent of the IP addresses could be assigned to malicious actors.
Stealing Git configuration files can result in the leakage of sensitive information. This includes repository URLs, branch structures, naming conventions or metadata that allow conclusions to be drawn about the internal development process. If the .git directory is compromised, malicious actors may be able to view the entire private code, access information stored in the commit history and find vulnerabilities in the code.
In 2024, over 15,000 accounts were compromised in such an attack and more than 10,000 private repositories were cloned. However, users do not have to stand idly by, as tools such as "github-secrets" can be used to track down and secure sensitive information in your own code.
(dmk)
