Zero-Day Vulnerability in Gogs Git Service Exploited by Attackers

Researchers from Wiz discovered a zero-day vulnerability in Gogs, a self-hosted Git service, after investigating malware found on a customer’s cloud server on July 15, 2023. The exploit combined an unpatched symbolic link editing flaw in Gogs’ internal API with an arbitrary file write vulnerability, allowing attackers to override the .git/config file and execute arbitrary commands via SSH. The attack was traced back to July 10, with over 700 exposed Gogs servers compromised worldwide, identified through a distinctive pattern of eight-character random repository and username names. The malware, packed with UPX and obfuscated using Go Garble, connected to a Super Shell C2 framework, suggesting financially motivated cybercriminals targeting opportunistically. The vulnerability affected all Gogs versions prior to 13.3 (the latest at the time) and required open registration and internet exposure to exploit. Researchers reported the zero-day to Gogs maintainers in October 2023, but no patch was released, and a second wave of attacks was observed in November 2023. Key takeaways included the importance of digging beyond initial malware findings to uncover root causes and the value of documenting unique behavioral indicators of compromise.