Breach via Compromised Token
Grafana Labs has confirmed that hackers gained access to its GitHub environment and downloaded its source code after stealing an access token. The breach was claimed by a relatively new extortion group known as CoinbaseCartel, which has listed Grafana on its data leak site. However, no stolen data has been published yet. The company behind the popular open source Grafana platform for analytics and monitoring stated that the investigation found no evidence that customer data, personal information, or customer systems were exposed or affected during the incident.
Refusal to Pay Ransom
According to a weekend announcement, Grafana Labs said it invalidated the compromised credentials and implemented additional security measures to prevent future unauthorized access. The attacker attempted to extort payment in exchange for not releasing the stolen source code. The company decided to follow public guidance from the FBI and refused to pay the ransom, arguing that doing so would only incentivize further attacks. Grafana noted that thousands of organizations use its product, including a large portion of Fortune 50 companies.
CoinbaseCartel Activity and Background
CoinbaseCartel emerged last September and has become increasingly active this year, claiming over 100 victims on its extortion portal. The gang focuses on data theft and uses its leak site to pressure victims. Researchers suggest the group includes affiliates of ShinyHunters and Lapsus$, gaining access through social engineering, phishing, and stolen credentials. Threat intelligence reports indicate the gang may deploy an in memory tool targeting VMware ESXi systems. However, ShinyHunters has denied any connection to CoinbaseCartel.
Source: BleepingComputer
