Hello,
Today we have seen Phabricator vandalism from an attacker who was also
responsible for the Gerrit outage yesterday. I’d like to clarify a comment
I made yesterday and provide as many additional details as I can while
still maintaining operational security.
While no user accounts were compromised the attacker leveraged a
vulnerability in Gerrit to comprise a single staff account. This discovery
is what lead to taking Gerrit offline so an investigation could occur, the
vulnerability could be remediated and the service restored. However, no
further evidence of compromise was discovered and additional security
controls prevented malicious activities from being executed using the
compromised staff account. We will continue to monitor the situation and
will provide updates on this list and on the Phabricator task
https://phabricator.wikimedia.org/T218472.
Thanks
John
On Sat, Mar 16, 2019 at 2:25 PM John Bennett <jbennett(a)wikimedia.org> wrote:
Hello,
Gerrit is available again but we are continuing to investigate the
suspicious activity. Our preliminary findings point to no users or
production systems being compromised and no loss of any confidential
information. As we continue to investigate over the next few days we will
add any appropriate updates to the phabricator task (
https://phabricator.wikimedia.org/T218472 ) .
Thanks
On Sat, Mar 16, 2019 at 10:26 AM John Bennett <jbennett(a)wikimedia.org>
wrote:
Hello,
On 16 March 2019, Wikimedia Foundation staff observed suspicious activity
associated with Gerrit and as a precautionary step has taken Gerrit offline
pending investigation.
The Wikimedia Foundation's Security, Site Reliability Engineering and
Release Engineering teams are investigating this incident as well as
potential improvements to prevent future incidents. More information will
be posted on Phabricator (
https://phabricator.wikimedia.org/T218472 ) as
it becomes available and is confirmed. If you have any questions, please
contact the Security (security(a)wikimedia.org
<trustandsafety(a)wikimedia.org>)g>).
Thanks