Red Hat Consulting GitLab Compromise Impacts 5000+ Enterprise Clients

In October 2025, Red Hat disclosed a critical security incident involving unauthorized access to its internal GitLab instance used by the Red Hat Consulting team. The breach exposed sensitive data related to over 5000 enterprise customers, marking one of the most significant third-party consulting breaches in recent memory.

Severity: High

Incident Overview

• Date of Compromise: September 13, 2025
• Date of Public Disclosure: October 3, 2025
• System Affected: Internal GitLab instance used for Red Hat Consulting engagements
• Threat Actor: Crimson Collective (linked to LAPSUS$ / Scattered Spider)
• Data Stolen: Consulting Engagement Reports (CERs), credentials, source code, certificates

How The Breach Happened

The attackers gained unauthorized access to Red Hat’s internal GitLab server used by consultants. While the specific initial access vector is not disclosed by Red Hat, the nature of the breach and the actor’s profile strongly suggests one or more of the following:

• Use of compromised credentials
• Misconfigured access controls
• Possible token or key reuse

Once inside, the attackers exfiltrated large datasets including reports, communications, source code, and certificate files.

Data Stolen During The Breach

Data Size:

• The breach involved the unauthorized exfiltration of approximately 1TB of data from Red Hat’s internal GitLab instance used by its Consulting team.
• 370,852 directories and 3,438,976 files
• Over 28,000 repos exported

Stolen data:

• Consulting Engagement Reports (CERs) for large enterprises: AIR, AMEX_GBT, Atos_Group (NHS Scotland), BOC, HSBC, Walmart, Vodafone
• Private keys and certificates (.pfx files): including for ING Bank and Delta Airlines
• Internal documentation, source code, project specifications
• Credentials and configuration files from Red Hat’s consulting engagements

Red Hat’s Response

According to Red Hat’s disclosure, the company:

• Detected the intrusion and isolated the GitLab instance
• Removed unauthorized access
• Launched an investigation and engaged law enforcement
• Communicated directly with affected consulting customers
• Confirmed no impact on Red Hat products or software supply chain
• Implemented additional hardening and access controls

Lessons Learned

• Consulting Environments Are High-Value Targets: Internal consulting platforms often house client-sensitive data and must be secured like production environments.
• Git Repositories Are Not Safe Havens for Secrets: Certificates, keys, and credentials should never be stored in GitLab; they must be managed through secure vaults.
• Lack of exfiltration alerts allowed threat actors to pull millions of files without immediate detection.

Threat Actor Profile Crimson Collective

Aliases: Linked to LAPSUS$, Scattered Spider

Modus Operandi:

• Public Exposure & Extortion through Telegram, dark web leak sites, and dedicated breach portals.
• Branding Style: Known for typo-laden HTML, use of memes, inside jokes, and trolling in breach announcements.
• Low Operational Discipline: Often prioritize notoriety over stealth or long-term persistence.
• Targets: Focused on high-profile organizations in telcos, finance, consulting, and technology supply chains.

Notable Actions:

• Referenced past LAPSUS$ victims like Claro and Vodafone in communication and leaks.
• Created a custom extortion portal mimicking LAPSUS$’s past leak site style.
• Possibly includes involvement from Thalha Jubair, a known UK-based cybercriminal tied to LAPSUS$.

Recommendations

1. Eliminate storage of .pfx, .pem, credentials, or private certs in Git repositories.
2. Use encryption for any sensitive customer data at rest and in transit especially in repos.
3. Deploy DLP controls on developer systems and code sharing platforms to detect sensitive strings exposure (e.g., keys, tokens).
4. Define clear policy restricting customer PII, credentials, or certificates from being stored in code repos.
5. Impacted organisations should reach out to Red Hat Consulting support, obtain the stolen files info and take remediation activity, e.g. revoking any credentials or certs exposed in the breach, etc.

Source:

• https://doublepulsar.com/red-hat-consulting-breach-puts-over-5000-high-profile-enterprise-customers-at-risk-in-detail-90114f18f706
• https://access.redhat.com/articles/7132207

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.