The hacker group Crimson Collective announced that it had gained access to one of Red Hat's internal GitLab servers and downloaded 570GB of compressed data containing information from 28 repositories. Among other things, the compromised data included approximately 800 Customer Engagement Reports (CERs), containing confidential information about the platforms and network infrastructures of Red Hat's consulting clients.
The screenshots and examples provided by the attackers mention obtaining data related to approximately 800 Red Hat customers, including Vodafone, T-Mobile, Siemens, Boeing, Bosch, 3M, Cisco, DHL, Adobe, American Express, Verizon, JPMC, HSBC, Ericsson, Merrick Bank, Telefonica, Bank of America, Delta Air Lines, Walmart, Kaiser, IBM, SWIFT, IKEA, and AT&T, as well as the Naval Surface Warfare Center, the Federal Aviation Administration, the Federal Emergency Management Agency, the Air Force, the National Security Agency, the US Patent and Trademark Office, the US Senate, and the US House of Representatives.
The captured repositories are said to contain information about customer infrastructure, configuration, authentication tokens, profiles VPN, inventory data, Ansible playbooks, OpenShift platform settings, CI/CD runners, backups, and other data that could be used to attack customers' internal networks. The attackers attempted to contact Red Hat for extortion, but received only a boilerplate response asking them to submit a vulnerability report to the security team.
Red Hat confirmed the security incident but did not provide details or comment on the contents of the leak. It only stated that the hacked GitLab server was used by its consulting division and that the company had taken the necessary steps to investigate and recover. Red Hat representatives claim they have no reason to believe the hack affected other company services and products, except for one. Server gitlab.
Update: Red Hat has published an initial report on the incident. The report does not provide details, but states that the company has launched an investigation, which revealed that an unknown individual accessed the GitLab server used for Red Hat Consulting team projects and downloaded some data from it.
The data downloaded by the attacker is said to have contained project specifications, code samples, and internal information about consulting services. At the current stage of the incident's analysis, no leakage of sensitive personal data has been identified.
It is not specified how the attacker gained access to the GitLab server, but it is indicated that the attack did not exploit the vulnerability (CVE-2025-10725) discovered yesterday in OpenShift AI Service, which allows an authenticated unprivileged user, such as a researcher running a Jupyter notebook, to gain cluster administrator privileges, giving them full access to all services, data, and applications running in the cluster, as well as root access to cluster nodes.
Source: opennet.ru
