Hello,
Today we have seen Phabricator vandalism from an attacker who was also responsible for the Gerrit outage yesterday. I’d like to clarify a comment I made yesterday and provide as many additional details as I can while still maintaining operational security.
While no user accounts were compromised the attacker leveraged a vulnerability in Gerrit to comprise a single staff account. This discovery is what lead to taking Gerrit offline so an investigation could occur, the vulnerability could be remediated and the service restored. However, no further evidence of compromise was discovered and additional security controls prevented malicious activities from being executed using the compromised staff account. We will continue to monitor the situation and will provide updates on this list and on the Phabricator task https://phabricator.wikimedia.org/T218472.
Thanks
John
On Sat, Mar 16, 2019 at 2:25 PM John Bennett jbennett@wikimedia.org wrote:
Hello,
Gerrit is available again but we are continuing to investigate the suspicious activity. Our preliminary findings point to no users or production systems being compromised and no loss of any confidential information. As we continue to investigate over the next few days we will add any appropriate updates to the phabricator task ( https://phabricator.wikimedia.org/T218472 ) .
Thanks
On Sat, Mar 16, 2019 at 10:26 AM John Bennett jbennett@wikimedia.org wrote:
Hello,
On 16 March 2019, Wikimedia Foundation staff observed suspicious activity associated with Gerrit and as a precautionary step has taken Gerrit offline pending investigation.
The Wikimedia Foundation's Security, Site Reliability Engineering and Release Engineering teams are investigating this incident as well as potential improvements to prevent future incidents. More information will be posted on Phabricator (https://phabricator.wikimedia.org/T218472 ) as it becomes available and is confirmed. If you have any questions, please contact the Security (security@wikimedia.org trustandsafety@wikimedia.org).
Thanks